Martey Dodoo

AIM Security Problem 19 years, 8 months ago by Martey Dodoo

Latest AIM version on aim.com is 5.5.3595
eWeek reports on a security problem found in the latest version of AOL Instant Messenger (AIM) which could allow malicious code to be executed if the user clicks a hyperlink in an AIM conversation window. While the group that released a public advisory yesterday, Secunia claims that AOL never contacted them (prompting the release), iDefense, another security group, claims that they had earlier found the same vulnerability and were working with AOL to fix it. The most release of AIM, 5.5.3595, is vulnerable. iDefense says:

America Online, Inc. recommends that Windows users of AIM upgrade to the latest beta version to be released on August 9, 2004. This new version of AIM addresses the vulnerability described herein and can be obtained via the AOL Instant Messenger portal, www.aim.com.

Where's the beta?
What happens when a Windows user concerned about security goes to the AIM website? They are directed to download the latest version - the latest release version, the aforementioned version 5.5.3595. The more entreprising user who manages to find his way to the AIM Windows Beta page is unable to download it, for it does not exist, despite the fact that it was supposed to be released yesterday.

Despite the fact that the vulnerability was made public before AOL was able to fix it (although they were working with iDefense since July 12) , this is just sloppy. If AOL is not willing to make a new release version (as they should when a serious vulnerability is found), the least that they could do is provide a link to the beta version of their software in a prominent place on their website. One is tempted to ditch AIM for Trillian or Gaim, both of which come with better features and a more pro-active approach towards security. Luckily for those people who want to use AIM (I do not know why, though), iDefense provides a workaround:

Exploitation of 'aim:' URI handler vulnerabilities can be prevented by removing the following key from the registry:

HKEY_CLASSES_ROOT\aim

The following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler:

Set WshShell = CreateObject("WScript.Shell")
WshShell.RegDelete "HKCR\aim"


UPDATE: Later that day, AIM released both a new release and a new beta version of AIM that fixes this problem. Better late than never...

Technology