NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0299 AOL Instant Messenger Vulnerable:
A critical flaw in the way AOL's AIM instant messaging client
displays web-based graphics could be exploited to create a self-replicating worm
attack. The flaw was discovered by researchers at Core Security Technologies,
which has reportedly been working with AOL over the past few weeks to patch the
problem. AOL's servers are now filtering instant messaging traffic to intercept
any attacks, but the company has yet to patch the underlying problem in its client
software. The flaw has to do with the way the AIM software uses Internet Explorer's
software to render HTML messages. By sending a maliciously encoded HTML message to
an AIM user, an attacker could run unauthorized software on a victim's computer
or force the IE browser to visit a maliciously encoded web page. An IM worm that
exploits this flaw would not require user interaction.
(www.computerworld.com.au 26SEP07)