CoreSecurity has published a HIGH RISK Security Vulnerability discovered in the latest AOL Instant Messenger AIM 6.1, AIM Pro and AIM Lite which would allow remote command execution, HTML and JavaScript injection vulnerabilities.
The vulnerability consist in the way the AIM clients use an embedded Internet Explorer instance. Unfortunately they do not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message to directly exploit Internet Explorer bugs or to target IE’s security configuration weaknesses.
In particular this attack vector exposes workstations to:
Direct remote execution of arbitrary commands without user interaction.
Direct exploitation of IE bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
Remote instantiation of Active X controls in the corresponding security zone.
Cross-site request forgery and token/cookie manipulation using embedded HTML.
Vulnerable packages
AIM 6.1 (6.1.41.2)
AIM 6.2 (6.2.32.1)
AIM Pro
AIM Lite
Workarounds (un-official) Users running AIM on Microsoft Windows XP SP2 or Windows Server 2003 SP1 may implement Microsoft’s “Internet Explorer Local Machine Zone Lockdown” recommendations to mitigate risk. This will not fix the reported bugs but will reduce the risk of exploitation significantly.
To enable Local Machine Zone Lockdown for your AIM client, go to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown
Add a REG_DWORD value to this key named as the AIM client application (for example, aim.exe) and set it to 1. Any other setting for this value will disable Local Machine Zone Lockdown for the application.
