AOL fails to fill nasty Aim hole

A SECURITY boffin is advising disconnecting AOL's AIM instant messaging due to a huge security hole in user systems.

AOL claims that the vulnerability, which allows a remote attacker to launch executable code without any user action, has been patched in the latest beta client.

But according to security researcher Aviv Raff fully patched versions of the beta is still wide open to attack.

Raff sent ZD Net hacks an IM to trigger the launch of the calculator application and sure enough the hacks were adding up in seconds.

Core Security found the hole more than a month ago, which is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control.

Raff discovered that the underlying vulnerability was never fixed in AOL's patch and the only thing the company did was filter specific tags and attributes.

ZD Net's advice is to log off from the product, uninstall it and use either Trillian, and Adium as a replacement.

AOL claims that no Aim users were at risk because it had fixed a lot of the problems on the server side.

However, Raff said that it took him five seconds to bypass AOL's fixes.

More here