Core Security CTO Finds Major Vulnerability in AIM, IE7
The Associated Press reported this afternoon that the chief technology officer of the company that makes Core Impact, a very well-known penetration testing product for enterprise networks, has gone public with the discovery of a new and significant vulnerability affecting AOL Instant Messenger, on systems where Internet Explorer 7 is also installed.
Core Security CTO Iván Arce told the AP that the current AIM 6.1, including the Pro and Lite versions, as well as the beta of AIM 6.2 all utilize Internet Explorer 7 for some of their rendering functions, including graphic emoticons. The interaction between AIM and IE7 apparently takes place over a link that Arce says he's proven can be exploitable, in demonstrations last month to officials of AOL's parent company, Time Warner.
Certain commands issued during an IM session can apparently enable full remote access to IE7, according to the AP report's assessment of Arce's claim. Users of the Web-based alternative to AIM would not experience this problem, he said.
For more: Core CTO: Highly Exploitable AIM Bug Could Lead to System Hijack