[Infowarrior] - AOL Instant Messaging Client Vulnerable to Exploitation

Richard Forno rforno at infowarrior.org
Sat Sep 29 14:36:48 UTC 2007


AOL Instant Messaging Client Vulnerable to Exploitation, Uninstall It Now
By Ryan Singel EmailSeptember 27, 2007 |

http://blog.wired.com/27bstroke6/2007/09/aol-instant-mes.html

AOL's Instant Messaging software, both old and the new beta, contains a
security hole that lets anyone who sends you a message to run arbitrary
commands and exploit Internet Explorer without the user having to do
anything, according to Ryan Naraine at Zero Day.

The hole, first reported to AOL more than a month ago, will not be fixed
until the middle of October for the millions of people using AOL's AIM
client.

    AOL claims that the vulnerability, which allows a remote attacker to
launch executable code without any user action, has been patched in the
latest beta client but, as I¹ve confirmed in a test with security researcher
Aviv Raff (see screenshot below), fully patched versions of the beta is
still wide open to a nasty worm attack.

    Production copies of the software, which sits on tens of millions of
desktops around the world, are also unpatched.

Anyone running the software should uninstall it and use an alternative, such
as a web-based client such as Meebo or a third-party IM client such as
Trillian or Pidgin to use an AIM account.

Update: Apple iChat is not vulnerable (thanks to that lower case i in its
name, I presume).

Despite AOL¹s claim, AIM worm hole still wide open ZDNET's Zero Day blog




More information about the Infowarrior mailing list