Core CTO: Highly Exploitable AIM Bug Could Lead to System Hijack
This morning, an AOL spokesperson told BetaNews that AIM users can be assured they are safe, and that the company will have more to say about the matter later.
This is far from the first very serious hole in AOL Instant Messenger over its long history. Seven years ago, my former CMP colleague Tristan Louis and I discussed where a string of alarm-sounding bugs dating back to 1997 had been made known to AOL by its own security engineer, who previously served as cyber-security chief for President Clinton. At that time, the company's response was to reassign all available resources to damage control - making sure the public didn't think ill of the company.
Today's AIM bug is far different than back then, involving possible malicious control of the IM clients, not the AOL server. But has the company's response to evidence of exploitable design flaws changed from its stonewalling policy at the turn of the decade?
Arce says it has. In fact, contrary to what was implied by the first AP story yesterday, Core Security - the manufacturers of the Core Impact penetration testing service and software for enterprise networks - has been working with AOL directly since last August, and continues to do so. While there have been disagreements, Arce describes this relationship as ongoing and cordial.
In fact, it's better now than in 2003 and on more occasions since then, he explained, when Core Security found exploitable flaws in AIM as well as ICQ. "Since 2003 and since last year, this time it was better," he said. "We reported this in August, and we started working on them towards a fix, and they did a fairly large amount of work trying to fix this. They're getting better."
So why didn't Core Security wait until the AIM security team finished its work on a fix? "While we were in this process of reporting and getting a fix and working on a complete solution, we discovered that a third party already found the same problem and posted it publicly. It wasn't a very clear indication of being the same bug, so we talked to AOL...They told us, 'We're aware of it, and it's a different problem.' We said it looks quite similar to us, and they said, 'Well, it's different because it's in a different window. We've done analysis that indicates it's a different problem.' Our analysis indicates it's the same problem. [We said] let's look at this more carefully because information may already be in the public eye, and with that information, it is trivial to find out what we reported. So we need to move at a faster pace."
Arce said it was time now to warn users they may be vulnerable. But what can they do? For individual users, he suggested three possibilities, all of which are very simple: 1) use the Web browser-based version of the AIM service instead; 2) revert to AIM version 5.9 or older; 3) install the beta of the newest AIM version 6.5, for which Core Security discovered the vulnerability does not exist.
For enterprise networks where thousands of copies of AIM may be installed, would good penetration testing software help, by any chance? In all honesty, Arce said it could help maybe a little bit. "Penetration testing can help here, but I think the best approach is to deploy good counter-measures." For instance, he suggested IT managers should use software inventory managers to determine which desktops are running vulnerable versions of AIM, as well as patch management applications to deploy fixes such as the 6.5 beta.
Though Iván Arce believes his team's discovery is peculiar to AIM and not any other product that uses Internet Explorer 7 as a renderer, the apparent fact that AIM's developers could use documented procedures to communicate with Microsoft's Web browser in such a way that a third party can hijack that communication for its own purposes, casts some doubt as to whether IE7 has as radically refined security as Microsoft claims it does.
Next: UPDATE on AIM discoveries by two other sources