Despite AOL's claim, AIM worm hole still wide open

Despite AOL's claim, AIM worm hole still wide open

Summary: There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October.

SHARE:

Despite AOLÂ’s claim, AIM worm hole still wide openThere's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October.

AOL claims that the vulnerability, which allows a remote attacker to launch executable code without any user action, has been patched in the latest beta client but, as I've confirmed in a test with security researcher Aviv Raff (see screenshot below), fully patched versions of the beta is still wide open to a nasty worm attack.

Production copies of the software, which sits on tens of millions of desktops around the world, are also unpatched.

[SEE: Zero-day flaws surface in AOL, Yahoo IM products ]

In the demonstration, Raff simply sent me an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages.

This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control.

Despite AOLÂ’s claim, AIM worm hole still wide open

In an advisory issued after a lengthy back-and-forth with AOL security engineers, Core warned:

[AIM does] not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message to directly exploit Internet Explorer bugs or to target IE's security configuration weaknesses.

The attack scenarios outlined by Core includes:

  • Direct remote execution of arbitrary commands without user interaction.
  • Direct exploitation of IE bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
  • Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
  • Remote instantiation of Active X controls in the corresponding security zone.
  • Cross-site request forgery and token/cookie manipulation using embedded HTML.

AOL coordinated with Core on the release of the advisory on the understanding that the flaw was patched in the latest beta version but, as Raff discovered, the underlying vulnerability was never fixed.

"The problem with AOL's patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their client's web-browser control," Raff said.

The scary thing in all this is that Core Security and Raff are not the only researchers finding trivial variations of this flaw. Earlier this month, a security researchers "Shell" and "Lone" issued a public warning for what appears to be a similar input sanitization bug.

Even worst, AOL has not seen it fit to fix the issue for its millions of users. Outside of proof that the flaw has not been fixed in beta updates, there really is no excuse for AOL to opt only to fix beta versions -- which are generally frowned upon in many businesses that rely on AIM for inter-office communication.

AOL is on record as saying a comprehensive patch won't be available until the middle of October.

In the meantime, if you're using standalone AIM on desktops with valuable data, my best advice is to log off immediately and uninstall the product. Cross-platform IM clients like Trillian (Windows) and Adium (Mac) can fill in as replacements.

[ UPDATE:  September 27, 2007 @ 3:17 PM]  A statement from AOL's Erin Gifford:

I spotted your post and wanted to let you know that as of today no AIM users are at risk. We were able to implement server side fixes that fully address all of the client vulnerabilities cited by Aviv Raff in his blog. Regardless of the AIM client our users are currently on, they are completely protected.

Aviv Raff responds:

They've added my adjusted proof-of-concept to their filters, but it took me 5 seconds to bypass it.  Took them over 3 hours to add one filter, which I bypassed in 5 seconds. This is an endless cat and mouse game. And the cat can never win.

Topics: Collaboration, Browser, Microsoft, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • OK, I have to ask.

    Why is anyone still using AOL anyway?
    itpro_z
    • OK, I have to ask.

      You'd be surprised, like I was.

      _r
      Ryan Naraine
    • It's not AOL

      it's Aol's instant messaging (aim).
      I still use it, because several of my friends from when i did use it have aol or aim.
      But, the question is, if one closes off incoming messages, does that close the vulnerability? If so, why uninstall? Why not just close the incoming messages from new users?
      LegendsOfBatman
  • [url=http://pidgin.im/]Pidgin (formerly GAIM)[/url]

    nt
    D T Schmitz
  • Pidgin (formerly GAIM) / AIM replacement

    [url=http://pidgin.im/]Pidgin[/url]
    D T Schmitz
  • RE: Despite AOL's claim, AIM worm hole still wide open

    Gives me creeps...
    Grayson Peddie
  • This question goes out to Ryan Naraine .

    So this doesn't affect AIM versions for Mac . I wonder
    why not ?

    "The attack scenarios outlined by Core includes:

    Direct remote execution of arbitrary commands
    without user interaction.
    Direct exploitation of IE bugs without user interaction.
    For example, exploitation bugs that normally require
    the user to click on a URL provided by the attacker can
    be exploited directly using this attack vector.
    Direct injection of scripting code in Internet Explorer.
    For example, remotely injecting JavaScript code into
    the embedded IE control of the AIM client.
    Remote instantiation of Active X controls in the
    corresponding security zone.
    Cross-site request forgery and token/cookie
    manipulation using embedded HTML. "

    "[AIM does] not properly sanitize the potentially
    malicious input content to be rendered and, as a result,
    an attacker might provide malicious HTML content as
    part of an IM message to directly exploit Internet
    Explorer bugs or to target IE???s security configuration
    weaknesses."

    Isn't this the same problem Apple's Safari & Mozilla's
    Firefox were having by not properly sanitizing the
    input code for Internet Explorer ?
    Intellihence
    • On Windows, AIM embeds IE

      On Windows, AIM embeds MSHTML (the IE HTML parsing and rendering component) -- for both the part of the conversation window that shows the actual conversation, and for the area in which you type your message. Since MSHTML is only available on Windows, only the Windows version uses it.

      It has nothing to do with the Safari/Mozilla issues; those issues referred to when those browsers launched IE to handle a URL.
      PB_z
      • So.....

        Once again. It's a really, as in the case of the skype worm, a Microsoft Windows problem that has surfaced in a 3rd party software implementation.
        tracy anne
      • I beg to differ ,,,

        The problem seems to be with the URI protocol handler , the same issue APPLE and
        Mozilla were facing . Read the story at eWeek.com

        http://www.eweek.com/article2/0,1895,1633773,00.asp
        Intellihence