COMMAND

    AOL Instant Messenger

SYSTEMS AFFECTED

    AOL Instant Messenger 4.1 to current (including 4.4 alpha), older versions probably effected

PROBLEM

    'Dont Know Guilt' found followig.   AOL Instnat Messenger has  the
    ability to embed images into  an instant message.  The  user sends
    the graphic to the person they wish to show, and the graphic shows
    up on their screen.  However, if the graphic is not a valid  image
    then an icon will be displayed showing the file type (i.e., if you
    send an invalid jpeg image, then the icon will show ".JPG".

    The bug occurs in the way that the images are handled by AIM  when
    saving  chat  conversations.   The  images  are  saved  in  a  the
    following format:

        <BINARY><STYLE><DATA ID="1" SIZE="66">Data that would be inside a GIF</DATA></BINARY>

    If  you  were  to  send  an  HTML  file  which  included malicious
    JavaScript/VBScript code with a image extension that started  with
    </DATA></STLE></BINARY>, then the code  would be exectued if  logs
    of  the  conversation  were  saved  and  viewed  with  the default
    browser.  One could also embed a web bug, Java applet, etc.   With
    versions of AIM previous to 4.4, this may be a trick.  In AIM 4.4,
    however,     IM     logs     are     saved     by     default   to
    C:\AimLogs\Username\IMLog.htm, and while AIM has a utility to view
    the logs, it's  not too outlandish  to think that  some might view
    the logs directly with their browsers.  Additionally, you can also
    take a legitimate image,  and append the HTML  code to the end  of
    the image, which achieves the same results.

    If  there  is  any  consolation,  it  is in the fact that Internet
    Explorer will ask  before letting the  log do anything  malicious,
    although if the user chooses yes this first time, it's possible to
    disable the confirmation,  as well as  manipulate the registry  to
    allow access to any file to any AIM user.

SOLUTION

    There are a  few things that  can be done,  the first is  just not
    accept any image connections.   Also, if you're going to  view the
    logs, make sure you have  ActiveX disabled, and dont click  Yes if
    it asks.  Additionally, if  using AIM  4.4 or  higher, always view
    the logs from the  Log Manager.  The  other item would be  to save
    the logs as a text file, rather than html.