Print this article  |  E-mail this article  |  Comment on this article

Core Security CTO Finds Major Vulnerability in AIM, IE7

By Scott M. Fulton, III, BetaNews

September 25, 2007, 5:07 PM

Flashpoint ribbon (small)
The Associated Press reported this afternoon that the chief technology officer of the company that makes Core Impact, a very well-known penetration testing product for enterprise networks, has gone public with the discovery of a new and significant vulnerability affecting AOL Instant Messenger, on systems where Internet Explorer 7 is also installed.

Core Security CTO Iván Arce told the AP that the current AIM 6.1, including the Pro and Lite versions, as well as the beta of AIM 6.2 all utilize Internet Explorer 7 for some of their rendering functions, including graphic emoticons. The interaction between AIM and IE7 apparently takes place over a link that Arce says he's proven can be exploitable, in demonstrations last month to officials of AOL's parent company, Time Warner.

Certain commands issued during an IM session can apparently enable full remote access to IE7, according to the AP report's assessment of Arce's claim. Users of the Web-based alternative to AIM would not experience this problem, he said.

For more: Core CTO: Highly Exploitable AIM Bug Could Lead to System Hijack

Add a Comment (32 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By improvelence

posted Sep 26, 2007 - 10:44 AM

Their are still people using AIM? wow....what am I gonna find out next, hampsterdance.com is the most popular site on the web???

Score: 0

By PC_Tool

posted Sep 26, 2007 - 11:14 AM

*laughs*

Excellent. I had totally forgotten about that.

Time to walk through the building and set it as the homepage of the folks who've left their PCs without locking the session.

If that doesn't teach 'em...

Score: 0

By mrp-

posted Sep 26, 2007 - 12:01 AM

Is AIM 4.8 affected?

Score: 0

By 9h0s7

posted Sep 26, 2007 - 10:09 AM

4.8 probably came out before IE7 so most likely not. I don't use AIM so I'm not completely sure.

Score: 0

By bourgeoisdude

posted Sep 26, 2007 - 9:23 AM

" Iván Arce told the AP that the current AIM 6.1, including the Pro and Lite versions, as well as the beta of AIM 6.2 all utilize Internet Explorer 7 for some of their rendering functions, including graphic emoticons."

Didn't see AIM 4.8 mentioned in there, but since AIM 4.8 may no longer be supported by aol (I don't know if it is or not), it will not be mentioned anyway.

Kinda like the fact that the 2005 WMF exploit actually affected Windows 95 and Windows 3.1 as well, but since Microsoft retired support for those ages ago, they needn't mention them.

Score: 0

By zridling

posted Sep 25, 2007 - 11:22 PM

How many does this make for IE over the past four months? Wasn't new versions of Vista/IE supposed to make us safer?

Aww, I hear toolie crying.

Score: 0

By PC_Tool

posted Sep 26, 2007 - 11:13 AM

Posting 101: You fail.

Nice double-post. I imagine the excitement at the thought of being able to make yet another MS-Troll post was just too much for you.

Next time, try reading the article first.

Score: 0

By athome

posted Sep 26, 2007 - 5:24 AM

Maybe I am reading it wrong, but the problem is with AIM and how it uses 7 for rendering that is the problem. Too quick to jump on IE7. Maybe wait until the full details are brought to light before you condem the product.

Score: 0

By Metshrine

posted Sep 26, 2007 - 5:23 AM

Gee, don't all software products have the possibility of holes? Last I checked people still made mistakes and pencils still had erasers. Oh wait, you just wanted another chance to attack IE and another user. You know, from someone who tries to act so professional on other sites (DontationCoder, the great software list), you sure don't know how to do so on a simple review site.

Score: 0

By zridling

posted Sep 25, 2007 - 11:22 PM

How many does this make for IE over the past four months? Wasn't new versions of Vista/IE supposed to make us safer?

Aww, I hear toolie crying.

Score: 0

By PC_Tool

posted Sep 26, 2007 - 11:11 AM

ROFLMAO....

Reading Comprehension 101: You fail.

Also note than under protected mode, even "full access to IE7" is pretty damned useless.

Score: 0

By athome

posted Sep 26, 2007 - 5:24 AM

Maybe I am reading it wrong, but the problem is with AIM and how it uses 7 for rendering that is the problem. Too quick to jump on IE7. Maybe wait until the full details are brought to light before you condem the product.

Score: 0

By rsx508

posted Sep 25, 2007 - 9:20 PM

We ban AIM at work and I ban it at home. It's useless. IE7 is part of Vista so you live with it, even if you load FF or Opera or whatever.

Score: 0

By NULLedge

posted Sep 25, 2007 - 8:20 PM

and why not. with microsoft being as secure as it is, what could go wrong

Score: 0

By jessshaun

posted Sep 25, 2007 - 7:28 PM

I don't use IE OR AIM, so nothing to worry about.

Score: 0

By The MAZZTer

posted Sep 25, 2007 - 9:17 PM

Read more carefully. It doesn't matter if YOU use IE7... AIM itself uses IE7.

You don't use AIM at all so you're not affected, just thought I'd make that distinction.

I use Trillian Astra myself.

Score: 0

By improvelence

posted Sep 26, 2007 - 10:45 AM

Trillian is the sheeyat

Score: 0

By mjm01010101

posted Sep 25, 2007 - 5:57 PM

Pretty much assume AIM and Yahoo Messenger have security issues, public disclosed or not.

Score: 0

By bourgeoisdude

posted Sep 25, 2007 - 5:38 PM

I gather that this exploit can only occurr with both AIM and IE7 working together. This much I figured out on my own. My question is: where is the actual vulnerability, IE7 or AIM (or both)?

Score: 0

By athome

posted Sep 26, 2007 - 5:45 AM

"Certain commands issued during an IM session.."

To me, this is an AIM problem with it's poor integration with IE7. The developers of IE7(Microsoft) should not be held responsible for the actions of others. Developers, on a whole, cannot be faulted by the intentional/unintentional use of their product - though measures should be taken to keep if from happening in the future now that it has been brought to light.

Though the actual vulnerability is not described in detail, it is often puzzling how others jump to conclusions and bash a product, in this case IE7, without all the facts. I too, wish to know more and look forward to the follow-up article. If BetaNews has their initial information correct, this seems to be an AIM issue that is affecting IE7.

Score: 0

By Program86

posted Sep 25, 2007 - 5:28 PM

BAM!

Another day, another windows vulnerability... "laughs"

Score: 0

By The MAZZTer

edited Sep 25, 2007 - 9:19 PM

It's an AIM vulnerability. Microsoft is in no way responsible, from what it sounds like. Even if it utilizes some sort of IE exploit or vulnerability, the only excuse for using IE7 for what AOL is doing with it is lazy programming on the part of AOL.

Score: 0

By PC_Tool

posted Sep 25, 2007 - 8:54 PM

BAM!

Another MS troll hits the web and totally fails at reading comprehension.

You guys are such good entertainment, who needs TV?

Score: 0

By athome

posted Sep 26, 2007 - 5:46 AM

Agreed!

Score: 0

By Bogunch

edited Sep 25, 2007 - 7:50 PM

Interesting that an Apple fan-boy would comment on browser vulnerabilities with all of the vulnerabilities found recently in Safari!

Score: 0

By NULLedge

posted Sep 25, 2007 - 8:23 PM

on windows? safari has only had 4 patches since it's 2.0 launch. 3 on windows isn't even out of beta.

Score: 0

By The MAZZTer

posted Sep 25, 2007 - 9:21 PM

... and 3 on windows has already had two patches, if I'm not mistaken.

And neither of them fixed the problem I've been having where the menu bar is invisible. I'm not on a Mac here!

Annnd I just went to run it again and it crashed on startup. Boo. But then again a few things are broken on here ATM so I can't really blame Apple for that.

Score: 0

By NULLedge

posted Sep 26, 2007 - 8:16 PM

you're running a beta app on a platform it's not native to. i'm shocked your computer hasn't imploded

Score: 0

By jessshaun

edited Sep 25, 2007 - 7:29 PM

Perhaps you need to read that again... I don't see anything about a "windows" vulnerability. I see an IE vulnerability.

EVERY software has vulnerabilities, however. NO web browser or OS is immune.

Score: 0

By terminalx

posted Sep 25, 2007 - 6:50 PM

How many patches did Apple release again in the past few months?

/thank you
//No piece of complex software is 100% including YOURS.

Score: 0

By Bogunch

posted Sep 25, 2007 - 7:30 PM

Exactly! And how many holes have been found in the over-hyped iProne?

Score: 0

By NULLedge

posted Sep 25, 2007 - 8:26 PM

What? 2 patches? fomg the world will collapse.

Score: 0

Nov 21 - 9:29 PM ET Hurd's the word in Ballmer's e-mail nightmares

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update