Intruders Could Take AIM at AOL

A security firm has notified AOL that a potentially critical security hole exists in its instant messaging software, commonly referred to as AIM, that would permit an intruder to gain complete control over a user's system.

Officials from Core Security Technologies said it contacted AOL about the flaw late last month. While company executives at AOL say the hole has been closed, Core Security officials counter that the fix doesn't go far enough. However, one Core Security official said it remains unclear whether anyone has successfully exploited the hole.

The flaw resides in the most recent beta releases of AIM 6.1 and 6.2. Core Security has also found the hole in the AIM Pro, intended mainly for business users, and in AIM Lite. The company said the problem doesn't exist in version 5.9 of AIM nor in AIM 6.5, a product also currently in beta testing.

The security hole arose, according to Core Security, because of the way the affected versions allow instant messaging users to augment their conversations with a number of fonts and pictographic "emoticons." The flawed versions of AIM do this by using Microsoft Corp.'s Internet Explorer program to render images, they explained.

Core Security contends that the real problem involves AIM enabling full access to all of Internet Explorer's functions, including the ability to carry out programming commands and direct them at Web sites. By embedding specific commands in an IM session, hackers can direct a user's system to do things such as visit malicious Web sites where even more bad code could be installed.

AOL officials responded by saying the issue has been resolved and that users should feel "completely safe."

Posted by Ed Scannell on 09/27/2007 at 1:23 PM


Featured

  • Windows 10 Preview Adds Windows Subsystem for Linux 2 on ARM64 Devices

    Microsoft's latest Windows 10 preview release for testers (build 18980), announced on Wednesday, includes support for version 2 of the Windows Subsystem for Linux, plus ARM64 device support for WSL 2.

  • Microsoft Defender Advanced Threat Protection Evaluation Lab Now Available

    The Microsoft Defender Advanced Threat Protection (ATP) Evaluation Lab is now ready for use by organizations.

  • How Organizations Can Adapt to SharePoint's 'Modern' Shift

    In a September interview, SharePoint expert Asif Rehmani described how users, developers and organizations are dealing with SharePoint Online's so-called "modern" innovations.

  • Microsoft Urges LDAP Workaround Fix for Windows Systems

    Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol in supported Windows systems to implement some configuration changes manually.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.