RSSCore CTO: Highly Exploitable AIM Bug Could Lead to System Hijack
By Scott M. Fulton, III | Published September 26, 2007, 12:46 PM
5:20 pm ET September 26, 2007 - New information has been learned since our original publication of this story earlier this afternoon: Two other researchers have been racing to discover either the same or a similar exploit, and their discoveries may have prompted Core Security to make its research public yesterday. Click here for the latest revelations.In an interview this morning from Buenos Aires with BetaNews, Core Security Chief Technology Officer Iván Arce described a scenario whereby a malicious user could be able to trigger AOL's Instant Messenger into launching Microsoft's Internet Explorer 7 Web browser, and then send it commands that enable that user to wrest full remote control of the AIM user's system.
"The problem here, I think, is not with implementation," Arce told BetaNews. "It's the way this was designed from the start. It wasn't designed thinking about potential malicious inbound messages, so the mechanisms for filtering were not put in the right place."
BetaNews reported yesterday afternoon the first news of the Core Security team's discovery. The reason that AIM 6.1 and the beta of AIM 6.2 can open up the door to Web browser hijacks, Arce told us, is because they use the rendering engine of Internet Explorer for the typesetting of text and graphics, as do many other programs. The use of IE7 for rendering purposes is fully documented by Microsoft, and for years has been a highly desirable option for developers who would rather not reinvent the wheel every time they create an application that renders multiple styles of text with graphics in a window.
"This is functionality that's known," Arce said. "Microsoft has it documented in the MSDN technical reference, it's everywhere, and many applications use it. Because would you rather write your own HTML parser knowing that Microsoft is your target system, or do you use Microsoft's parser, which is already there, tested, and working?"
The documentation also shows the way this should be done safely, Arce added, which is why he insists it's AOL's responsibility to have ensured that AIM uses this connection in the proper way...and that this is not Microsoft's problem. "Unfortunately, AIM didn't do it safely," he remarked, "and they didn't prevent attacks."
What AIM's developers failed to prevent, Arce believes, are two things: first, IE7's functionality becoming exposed - indirectly, though thoroughly - through the AIM peer; second, unnecessary content such as obvious JavaScript instructions from being filtered out before they reach IE7.
"An IM peer can run JavaScript in the target system, and an IM peer can run ActiveX controls in the target system. All of that is functionality that's common for Internet Explorer, but it shouldn't be exposed to a remote peer that is sending an instant message to you," explained Arce.
As his team discovered, a malicious message can be sent to AIM which triggers the Web browser rendering its text to a malicious Web site. Whereas typical malicious messages use more social means to direct victims to malicious sites - for instance, by saying "You won't believe what I just found here..." - Arce found that AIM peers can be sent to malicious sites without any user intervention whatsoever.
Since IE7 is also capable of triggering ActiveX controls, the Core Security team also found that AIM peers can take advantage of that inter-application communication to seize control of the file system, and other Windows services. Or, perhaps more directly, it could simply launch a CMD.EXE window and wreak havoc the old-fashioned way.
"An IM peer could actually run a command shell in the target system by sending a crafted IM with HTML and ActiveX instantiation," he said.
"All of these things stem from the fact that AIM uses Internet Explorer to render HTML, but it doesn't prevent malicious content from reaching the IE functionality. It should be filtering inbound messages and making sure only valid HTML passes through to IE, and it's not doing that." Filters do exist in AIM, however, as Arce's team discovered - they're just not two-way. They filter outbound content only.
"Specifically, the problem in the design is that filtering is being done on the outbound part of the message. It's being filtered out when IM sends the message, not when you receive it. So if I'm a malicious attacker and I find a way to send a message without being filtered, when you receive it, it's not filtered...Obviously, a malicious user could figure out a way to bypass the filter of outbound messages, and therefore all the people receiving the message cannot filter it out."
Next: Is AOL trying to fix this?
This sounds only slightly less annoying than the way AOL hijacks your whole online experience.
Score: 0
|Seriously, who actually uses AIM...or for that matter IE anymore...
If you do, you shouldn't.
and yes I am aware you cannot control the fact that some programs use IE...but you dont have to use those programs.
Score: 0
|That is why i switched over to Ubuntu a couple of weeks back. I do all my serious work on Ubuntu and then come back to Windows for games only. I am trying to limit my windows "experience" as much as possible.
Unfortunately i have to use Windows at work. :(
Score: 0
|Maybe a different fast food joint has a different os on their registers maybe you should quit.
Score: 0
|again, enjoy your awesome windows experience. is this stuff even worth reporting anymore? MS will have it patched in a month or 2 after they quality test their patch and we'll all golf clap as millions of systems reboot and crash skype. really it's just the same old same old.
Score: 0
|I think that question's worth a response, NULLedge: If we all take the position of mere spectators, to whom operating systems are something that just happens and we just experience them, then yes, all of this is same-old same-old. Windows is like the weather, and we're all standing out in the middle of it, and when there's a thunderstorm we complain when it rains.
But would you have us all be mere spectators? If we're truly involved in this business, then what matters to us most is the evolution of the problem at hand. In other words, not that there's another Windows exploit, and gosh ain't that just too bad for Microsoft, but how do we get around it, and how do we apply the knowledge gained from that experience to help us better develop software, or better deploy software that someone else developed, in the future?
If you're just a spectator, then this is just another bad weather story. If you're an engineer, even at heart, then this is about the latest on the evolution of the threat against your livelihood, and some data as to the nature of the problem and what you can do about it.
Or, in short...yes.
-SF "Doing My Best Joe Biden Impression at the End" 3
Score: 0
|i figure 99% of the security issues are buffer overflows, active x design / implementation failures, or a lack of checks and balances on the part of windows. as a programmer i get your point, but as an ex-windows user, it's still the same song and dance. this probably means something to someone, but to me it just sounds like the same people keep leaving doors unlocked and the same hackers keep walking around jiggling the knobs until they find them. nothing ground breaking. but that's just my opinion and i'm happy to share it or stfu when asked. either way ;)
Score: 0
|