A researcher warned this week that a critical flaw in America Online's Instant Messenger likely continues to pose a risk, despite a server-side fix designed to filter out possible attacks.
The filtering, however, can be fooled using obfuscated code, Aviv Raff, a researcher who also works for Web security firm Finjan, said in a post on his personal research blog.
"I've tested the PoC (proof-of-concept code) which I provided to AOL against the 'patched' version," Raff wrote. "While the latest beta version seems to filter my PoC, I've been able to change my code a little and successfully exploited the vulnerability again. The problem with AOL's patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their client's web-browser control."
In a statement e-mailed to SecurityFocus, America Online maintained that its server-side filtering stopped the attack described by Core and that its latest beta version of the instant messenger application fixed the flaw. Raff disputed the point and posted an e-mail response from America Online that appeared to agree that the flaw had not been fixed in the latest beta version of its product.
Instant messaging applications continue to be a target of vulnerability researchers and a vector of attack for some Trojan horse programs and bot software. Earlier this month, a worm that targeted Microsoft Windows used Skype's instant messaging client to spread. The programs targeting instant messaging applications have become increasingly complex.
America Online told Raff and Core that a patch for the issue will be released by mid-October. Raff recommended that computer users should avoid using AIM until the latest update is released.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos