COMMAND
AOL Instant Messenger
SYSTEMS AFFECTED
AOL Instant Messenger versions prior to 4.3.2229
PROBLEM
Following is based on a @stake Security Advisory by Dildog, Dave
Aitel and Patrick Upatham. AOL Instant Messenger (AIM) is a
popular messaging client for Windows, with over 64 million users
according to 'http://www.aol.com/aim/home.html'. AIM ships by
default with current versions of the Netscape Communicator web
browser, as well as a standalone download.
There exist application weaknesses that allow these machine with
AIM installed to be remotely taken over by external attackers.
It is important to note that you do not need to be running AIM
but merely have it installed to be vulnerable. @stake include
URLs in our detailed description that you can use to check if you
are vulnerable.
Scenarios such as receiving malicious HTML e-mail or visiting a
malicious web site have been shown in our labs to enable the
execution of arbitrary code on a vulnerable target machine.
This potentially places environments using the AOL Instant
Messenger at grave risk. As these vulnerabilities are a result
of client-initiated communications, most corporate firewall
configurations do not guard these environments from attack.
Advisory Reference:
http://www.atstake.com/research/advisories/2000/a121200-1.txt
In March, 2000, Joseph Testa discovered the same vulnerability in
AOL Instant Messenger (back then the latest version was 3.5.18??).
It was a buffer overflow in AIM's "screenname=" command line
argument that is passed in via the "aim://" protocol of a
browser. For more info see:
http://oliver.efri.hr/~crv/security/bugs/Others/aol12.html
SOLUTION
Should a vendor patch not be available or not function to the
needs of your particular environment, @stake offer several
alternative measures in this advisory to help mitigate portions
of this risk.
AOL has a fixed version, 4.3.2229, dated 12/6/2000 available now.