NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA List Master

NRT-0304 Doubts Raised Over AOL's AIM Security:


America Online (AOL) has patched a "serious" flaw in its instant-messaging software, but more such problems may lie just ahead, according to a seucrity researcher. The flaw affects how the AOL Instant Messaging (AIM) software uses Internet Explorer's software to render HTML messages. By sending a maliciously encoded HTML message to an AIM user, an attacker could run unauthorized software on a victim's computer or force the IE browser to visit a maliciously encoded web page. AOL says it knows of no attacks that exploit this problem, but security expert Aviv Raff has warned that the flaw could possibly be used by a self-replicating computer worm attack. Although AOL's 6.5 update, released on 03OCT07, was supposed to address this bug, Raff said the patch had not fixed the underlying problem. "While it does fix the specific attack vector of the vulnerability, it still does not utilize the Local Zone lock-down," he said. This means that an attacker who discovered some new way to insert malicious script into an HTML AIM message could end up running unauthorize software on the victim's machine, he explained.

(www.techworld.com 16OCT07)


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Saturday, 27-Oct-2007 18:23:32 EDT