Core CTO: Highly Exploitable AIM Bug Could Lead to System Hijack

---

5:15 pm ET September 26, 2007 - Iván Arce told BetaNews he went public with the news of the AIM vulnerability after learning that a third party was about to do the same. AOL, he said, responded to him by saying its technicians thought the third-party exploit was different in nature; Arce said his team believed it was the same.

As it turns out, both parties may have been discussing two separate exploits. AOL may have been referring to an alleged exploit that turned up on underground sources last week. That exploit, announced last week by ZDNet blogger Ryan Naraine, uses a VBScript to trigger the remote downloading of any arbitrarily-named file from a system where an IM client is installed.

That's indeed quite different from the exploit independently discovered ??" or at least, so he describes ??" by independent consultant Aviv Raff. In a personal blog posting this morning, Raff says he notified AOL of his own discovery just yesterday, but initially got no response. After the Core Security report was made public yesterday afternoon, Raff did get a response from AOL: "We have already fixed out client on these issues and the client is scheduled for a mid-October release. This fix is not yet in the current AIM beta client."

Assuming Raff is correct, and that his discovery is indeed the same as Arce's, then AOL's response would not coincide with Arce's understanding, which is that the current 6.5 beta does fix the problem at hand.