eWeek reports on a security problem found in the latest version of AOL Instant Messenger (AIM) which could allow malicious code to be executed if the user clicks a hyperlink in an AIM conversation window. While the group that released a public advisory yesterday, Secunia claims that AOL never contacted them (prompting the release), iDefense, another security group, claims that they had earlier found the same vulnerability and were working with AOL to fix it. The most release of AIM, 5.5.3595, is vulnerable. iDefense says:
America Online, Inc. recommends that Windows users of AIM upgrade to the latest beta version to be released on August 9, 2004. This new version of AIM addresses the vulnerability described herein and can be obtained via the AOL Instant Messenger portal, www.aim.com.
Despite the fact that the vulnerability was made public before AOL was able to fix it (although they were working with iDefense since July 12) , this is just sloppy. If AOL is not willing to make a new release version (as they should when a serious vulnerability is found), the least that they could do is provide a link to the beta version of their software in a prominent place on their website. One is tempted to ditch AIM for Trillian or Gaim, both of which come with better features and a more pro-active approach towards security. Luckily for those people who want to use AIM (I do not know why, though), iDefense provides a workaround:
Exploitation of 'aim:' URI handler vulnerabilities can be prevented by removing the following key from the registry:
The following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler:
Set WshShell = CreateObject("WScript.Shell")