AOL's instant messaging service (AIM) contains a serious security hole that could allow remote attackers to execute malicious code on computers running it.
AOL confirmed the existence of the vulnerability in an AIM feature that allows users to post automatic replies, such as "I'm away" messages, to instant messages (IMs) that they receive. The company is planning to release a test version of the AIM client later this week that will fix the hole, said spokesman Andrew Weinstein.
The security hole was discovered by iDefense, a computer security intelligence company. A flaw in an AIM component called the "goaway" function allows an attacker to cause a buffer overrun on machines running AIM. Attackers could trigger the flaw by feeding a large amount of data to the goaway function, possibly using a URL embedded in an instant message to the user.
In a buffer overrun, space in a computer's memory allocated to hold data is exceeded, allowing the attacker to crash vulnerable applications or place and run their own code on the vulnerable computer.
All known versions of AIM for Windows are affected and, if successfully exploited, the away message vulnerability would allow remote attackers to run code with the privileges of the PC's user. However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.
iDefense discovered the vulnerability and informed AOL about it on 12 July, the company said. The company released an advisory on Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.
AOL will encourage AIM users to switch to the beta AIM client when it is released. Alternatively, iDefense recommend changing a Windows configuration setting to protect systems from exploitation. AOL does not know of any customers who have been attacked using the security hole, Weinstein said.
Long popular with home computer users, instant messaging is increasingly being used in the business world. After trying to market, then abandoning its own corporate IM gateway, AOL is now working with third party corporate IM technology companies to integrate its instant message technology into corporate applications.