NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0304 Doubts Raised Over AOL's AIM Security:
America Online (AOL) has patched a "serious" flaw in its instant-messaging software, but more such
problems may lie just ahead, according to a seucrity researcher. The flaw affects how the AOL
Instant Messaging (AIM) software uses Internet Explorer's software to render HTML messages. By
sending a maliciously encoded HTML message to an AIM user, an attacker could run unauthorized
software on a victim's computer or force the IE browser to visit a maliciously encoded web page.
AOL says it knows of no attacks that exploit this problem, but security expert Aviv Raff has
warned that the flaw could possibly be used by a self-replicating computer worm attack. Although
AOL's 6.5 update, released on 03OCT07, was supposed to address this bug, Raff said the patch had
not fixed the underlying problem. "While it does fix the specific attack vector of the vulnerability,
it still does not utilize the Local Zone lock-down," he said. This means that an attacker who
discovered some new way to insert malicious script into an HTML AIM message could end up running
unauthorize software on the victim's machine, he explained.
(www.techworld.com 16OCT07)