AOL IM 'Away' message flaw deemed critical

Computer security companies are warning users of America Online Inc.'s Instant Messenger (AIM) software that a serious security hole in the product could allow remote attackers to execute malicious code on computers that run the popular instant messaging software.

America Online (AOL) confirmed the existence of the software vulnerability in an AIM feature that allows users to post automatic replies, such as "I'm away" messages, to instant messages (IMs) that they receive. The company is planning to release a test version of the AIM client later this week that will fix the hole, said Andrew Weinstein, an AOL spokesman.

The security hole was discovered by iDefense Inc. of Reston, Virginia, a computer security intelligence company. A flaw in an AIM component called the "goaway" function allows an attacker to cause a buffer overrun on machines running AIM. Attackers could trigger the flaw by feeding a large amount of data to the goaway function, possibly using a URL (uniform resource locator) embedded in an instant message to the user.

In a buffer overrun, space in a computer's memory allocated to hold data is exceeded, allowing the attacker to crash vulnerable applications or place and run their own code on the vulnerable computer.

All known versions of AIM for Microsoft Corp. Windows are affected and, if successfully exploited, the AIM away message vulnerability would allow remote attackers to run code with the privileges of the user who launched the AIM application, iDefense said.

However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.

The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.

IDefense discovered the vulnerability and informed AOL about it on July 12, the company said. The company released an advisory on it Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.

AOL will encourage AIM users to switch to the beta AIM client when it is released. Alternatively, iDefense recommended changing a Windows configuration setting to protect systems from exploitation. (See: http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities.)

AOL does not know of any customers who have been attacked using the security hole, Weinstein said.

Long popular with home computer users, instant messaging is increasingly being used in the business world. After trying to market, then abandoning its own corporate IM gateway, AOL is now working with third party corporate IM technology companies to integrate its instant message technology into corporate applications.