Okay, you’re chatting with your friends on AIM (AOL Instant Messenger) and suddenly you’ve been exploited. Somehow, someone has pawned IE via AIM and now you have a trojan backdoor running. Sure, it sounds like some kind of spy and dagger movie, but it’s true. In this day and age of cat-and-mouse security, crackers and software vendors relentlessly go after one another. AOL has found itself responding to a very serious security threat reported by Core Security Technologies.
Core Security Technologies had this to say about what the exploit involves:
In particular this attack vector exposes workstations to:
- Direct remote execution of arbitrary commands without user interaction.
- Direct exploitation of IE bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
- Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
- Remote instantiation of Active X controls in the corresponding security zone.
- Cross-site request forgery and token/cookie manipulation using embedded HTML.
The vulnerable versions include:
AOL had this to say about the issue:
AOL has become aware of security vulnerabilities in several AIM instant messaging clients. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary commands on a user’s workstation. AOL has deployed host side filtering on the AIM servers to block this potentially malicious content from being sent to AIM clients.
Solutions
1. Users of AIM can upgrade to the latest version of the AIM beta client at beta.aol.com.
Other workarounds (un-official)
Workaround #1: Users running AIM on Microsoft Windows XP SP2 or Windows Server 2003 SP1 may implement Microsoft’s “Internet Explorer Local Machine Zone Lockdown” recommendations to mitigate risk. This will not fix the reported bugs but will reduce the risk of exploitation significantly.
To enable Local Machine Zone Lockdown for your AIM client, go to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Internet Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown
Add a REG_DWORD value to this key named as the AIM client application (for example, aim.exe) and set it to 1. Any other setting for this value will disable Local Machine Zone Lockdown for the application.
For further details about how to configure this feature read Microsoft’s Internet Explorer Local Machine Zone Lockdown recommendation at http://technet.microsoft.com/en-us/library/bb457150.aspx#EHAA
Source: Core Security Technologies
If you would like to make a comment, please fill out the form below.
Recent Comments