A day after users of AOL’s instant messaging service were advised to upgrade to address a vulnerability uncovered by Core Security Technologies, well-known security researcher Aviv Raff reports that he has found a way to defeat the patch.
His finding, subsequently confirmed by AOL in an e-mail he received, is the latest twist in the case of a vulnerability reported to AOL by Core Security in August but publicized among security aficionados two weeks ago, before either company was ready to disclose the issue.
The flaw in question affects AIM 6.1, 6.2 beta, AIM Pro and AIM Lite. All of the vulnerable AIM clients include support for enhanced message types that allow people to use HTML to customize text messages with specific font formats or colors. To render this HTML content, the vulnerable AIM clients use an embedded Internet Explorer server control, Core Security officials said.
Since these clients do not properly sanitize potentially malicious content before it is rendered, an attacker could deliver malicious HTML code in a IM message to directly exploit IE bugs without user interaction or to target security configuration weaknesses in IE.