Despite AOL's claim, AIM worm hole still wide open

There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October.

Despite AOLÂ’s claim, AIM worm hole still wide open

There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October.

AOL claims that the vulnerability, which allows a remote attacker to launch executable code without any user action, has been patched in the latest beta client but, as I've confirmed in a test with security researcher Aviv Raff (see screenshot below), fully patched versions of the beta is still wide open to a nasty worm attack.

Production copies of the software, which sits on tens of millions of desktops around the world, are also unpatched.

[SEE: Zero-day flaws surface in AOL, Yahoo IM products ]

In the demonstration, Raff simply sent me an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages.

This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control.

Despite AOLÂ’s claim, AIM worm hole still wide open

In an advisory issued after a lengthy back-and-forth with AOL security engineers, Core warned:

[AIM does] not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message to directly exploit Internet Explorer bugs or to target IE's security configuration weaknesses.

The attack scenarios outlined by Core includes:

  • Direct remote execution of arbitrary commands without user interaction.
  • Direct exploitation of IE bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
  • Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
  • Remote instantiation of Active X controls in the corresponding security zone.
  • Cross-site request forgery and token/cookie manipulation using embedded HTML.

AOL coordinated with Core on the release of the advisory on the understanding that the flaw was patched in the latest beta version but, as Raff discovered, the underlying vulnerability was never fixed.

"The problem with AOL's patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their client's web-browser control," Raff said.

The scary thing in all this is that Core Security and Raff are not the only researchers finding trivial variations of this flaw. Earlier this month, a security researchers "Shell" and "Lone" issued a public warning for what appears to be a similar input sanitization bug.

Even worst, AOL has not seen it fit to fix the issue for its millions of users. Outside of proof that the flaw has not been fixed in beta updates, there really is no excuse for AOL to opt only to fix beta versions -- which are generally frowned upon in many businesses that rely on AIM for inter-office communication.

AOL is on record as saying a comprehensive patch won't be available until the middle of October.

In the meantime, if you're using standalone AIM on desktops with valuable data, my best advice is to log off immediately and uninstall the product. Cross-platform IM clients like Trillian (Windows) and Adium (Mac) can fill in as replacements.

[ UPDATE:  September 27, 2007 @ 3:17 PM]  A statement from AOL's Erin Gifford:

I spotted your post and wanted to let you know that as of today no AIM users are at risk. We were able to implement server side fixes that fully address all of the client vulnerabilities cited by Aviv Raff in his blog. Regardless of the AIM client our users are currently on, they are completely protected.

Aviv Raff responds:

They've added my adjusted proof-of-concept to their filters, but it took me 5 seconds to bypass it.  Took them over 3 hours to add one filter, which I bypassed in 5 seconds. This is an endless cat and mouse game. And the cat can never win.