A vulnerability was discovered in these three popular versions of AOL Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite, which expose workstations running the IM clients and their users to several immediate high-risk attack vectors. To support rendering of HTML content, the vulnerable IM clients use an embedded Internet Explorer server control. Unfortunately they do not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message to directly exploit Internet Explorer bugs or to target IE?s security configuration weaknesses.

In particular this attack vector exposes workstations to:

Direct remote execution of arbitrary commands without user interaction.

Direct exploitation of IE bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.

Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.

Remote instantiation of Active X controls in the corresponding security zone.

Cross-site request forgery and token/cookie manipulation using embedded HTML.



For more information read the full advisory.