Core Security CTO Finds Major Vulnerability in AIM, IE7
Core Security CTO Iván Arce told the AP that the current AIM 6.1, including the Pro and Lite versions, as well as the beta of AIM 6.2 all utilize Internet Explorer 7 for some of their rendering functions, including graphic emoticons. The interaction between AIM and IE7 apparently takes place over a link that Arce says he's proven can be exploitable, in demonstrations last month to officials of AOL's parent company, Time Warner.
Certain commands issued during an IM session can apparently enable full remote access to IE7, according to the AP report's assessment of Arce's claim. Users of the Web-based alternative to AIM would not experience this problem, he said.
For more: Core CTO: Highly Exploitable AIM Bug Could Lead to System Hijack