Risk: High
A critical security flaw has been identified in AOL Instant Messenger.
The Windows version of AOL Instant Messenger contains a vulnerability that resides in the 'away' feature of the application. Attackers can exploit this by remotely executing code by injecting HTML or JavaScript into Internet Explorer and can subsequently use the privileges of the user who launched the AIM application.
For a user to be exposed to this flaw, it requires them to click on a malicious URL supplied in an instant message.
Aviv Raff, a researcher for web security firm Finjan, explains that the patch issued by AOL still contains a flaw which can be exploited. "While the latest beta version seems to filter my PoC, I've been able to change my code a little and successfully exploited the vulnerability again. The problem with AOL's patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their client's web-browser control." America Online will issue another patch and users are urged not to use AIM until the patch is released and the flaw has been fixed.