If at first you don't succeed; call it version 1.0
Tuesday, September 25, 2007

AOL's AIM is one of the most used IM clients in the world. According to Neilsen/Netratings, AOL had around 53 million IM subscribers in 2006.

A week ago, I've found a critical vulnerability in the latest version of AIM, which could allow an attacker to execute code from remote by simply sending a message to the victim.

Just before reporting the vulnerability to AOL, I've encountered a blog post by Ryan Naraine which describes a vulnerability in AIM that was found by "Shell". After reading the advisory, I understood that this vulnerability is a bit different from the one that I found, as it is in the Notification window which pops-up only when you are not in the middle of conversation with the attacker.

So, I've decided to report the vulnerability to AOL, and provided full description and Proof-of-Concepts. I have yet to receive any response from AOL.

Today, Core Labs have published an advisory which describes the general case of my findings. In the advisory they also claim that AOL has patched the vulnerability, so the latest beta version (v6.5.3.12) of AIM is not vulnerable anymore.

I've tested the PoC which I provided to AOL against the "patched" version. While the latest beta version seems to filter my PoC, I've been able to change my code a little and successfully exploited the vulnerability again.

The problem with AOL's patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their client's web-browser control.

Core Labs describes a workaround in their advisory which messes up with the registry. I think that the common people should avoid this workaround, and stop using AIM until a real fix from AOL will arrive.

I also encourage AOL security staff to contact me as soon as possible. I am willing to provide them with all the new information. I will not contact AOL again, as I'm still waiting for AOL to respond my first email.

[UPDATE:] I've just got an email from AOL which confirms that the "patched" beta version is still vulnerable:


Hi,

We apologize, for not initially responding to your email.  We have already fixed out client on these issues and the client is scheduled for a mid-October release.  This fix is not yet in the current AIM beta client.

Thanks
AOL Product Vulnerability Team


Again, try to avoid using AIM at-least until the mid-October release.


Tuesday, September 25, 2007 9:13:52 PM UTC | Comments [5] | Security#
Tuesday, September 25, 2007 10:19:26 PM UTC
I would contact AOL myself if I were you, instead of simply encouraging someone from inside your blog post - initially it looks like you would like to help everyone out, but the fact that someone else had already found your 1-week-old finding turns out to be enough to keep you from cooperating with the security community anymore. Sleep on it! and stop using AIM for sure!

Peter
Tuesday, September 25, 2007 10:32:15 PM UTC
Peter,
Most of the information about my "1-week-old" finding is already available in Core Labs advisory.
My concern here is that AOL think that they have fixed their vulnerability, while blackhats will find out that it is still possible to exploit it.
Tuesday, September 25, 2007 10:59:02 PM UTC
Hey there,

I believe the whole point of the advisory is to warm users NOT to trust that particular type of software, no matter whether the vendor states that the issue is fixed/patched or not. We all know that a patch most likely ends up corrupting other functionality and creating more bugs - there are bugs everywhere - if such a stupid type of issue came to the surface, imagine the ones that we are overlooking!

If you are concerned about blackhats more than before, then go ahead and contact AOL. I believe that advisory from Core clearly states that current host-side mitigations are weak and prone to be bypassed.

Why the crap would these guys have 5 different versions for the same software?! Bugs found in 4 out of 5? I wouldn't use that last patched version even if I had a gun pointing at my head. That's the message users need to get.

Nice blog, keep it up.
Peter
Thursday, October 04, 2007 1:17:59 PM UTC
Can you please confirm the latest AIM release fixes the issue?
Sunday, October 14, 2007 4:57:22 PM UTC
My answer is in the following post: http://aviv.raffon.net/2007/10/14/AIMV65IsOut.aspx
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.