AIM Flaw Could Open Users' Computers to Attack

[InfoSec News <isn () C4I ORG>]

http://www.internetnews.com/wd-news/article/0,,10_534531,00.html

By Thor Olavsrud
December 13, 2000

In the trenches of the instant messaging (IM) wars, America Online
Inc. has so far argued against interoperability, citing security
concerns on behalf of its AOL Instant Messenger (AIM) users. But a
security advisory from @stake Inc., issued Wednesday morning, suggests
AIM users may be at risk from the AIM client itself.

According to @stake, a security consulting and research firm based in
Cambridge, Mass., the bug poses a serious risk because it does not
require AIM's use, merely that it be installed. The client ships by
default with current versions of the Netscape Communicator browser, in
addition to stand-alone downloads.

The security weakness could allow an attacker -- through malicious
HTML e-mail or a malicious Web site -- to remotely take control of a
machine with AIM installed.

"This one happens to be real easy to exploit," said Weld Pond, manager
of Research & Development, @stake. "In our lab we crafted up a code
that would allow an attacker to download a file onto the user's system
and then execute it. If it just crashed your instant messenger client
that wouldn't be nearly so bad, but we think this is a big
vulnerability."

The bug stems from the fact that AIM, when installed, registers the
URL protocol "aim:" as a hook into its executable, according to
@stake. This allows users to publish their AOL screen names on Web
pages and be quickly and easily added to viewers' "Buddy Lists,"
engage in AIM Chat or otherwise access AIM functionality by simply
clicking on a link. In order to achieve this, each "aim:" URL is
passed directly to the aim client as if it were put in the command
line. For instance, AIM users can type:
"aim:goim?Screenname=bob&Message=hi bob" into the command lines of
their browsers, and the command will be passed to AIM which opens an
instant message box with the words "hi bob."

But @stake said the client software has numerous vulnerabilities that
allow a maliciously crafted URL to overflow internal buffers and
obtain control of the program.

AIM has more than 64 million users and Pond warned that not all those
users utilize the client only at home. He thinks corporations also
need to be concerned.

"We find in our network assessments that [AIM] is something that is
used in corporations in a big way," he said. "There's millions of
these that are actually not just on home computers but they're
probably in corporate environments. I think it will be a struggle for
IT departments to get a handle on making sure that their
infrastructure is not vulnerable given that there's so many --
probably -- unsanctioned clients in their environments."

And IT departments shouldn't rely on firewalls to protect their
infrastructure in this case. "As these vulnerabilities are a result of
client-initiated communications, most corporate firewall
configurations do not guard these environments from attack," @stake
wrote in its advisory.

AOL posted a "refresh" version of the AIM client on Dec. 6, but has
not gone to great lengths to advertise it's availability or the reason
users should download the patched version.

"We recently discovered a potential issue with the Web-based AIM
program and immediately fixed it," said Andrew Weinstein, an AOL
spokesman. "We have not, however, heard any reports that this exploit
has been used in the real world."

As to not warning customers about the need to upgrade, Weinstein said,
"We regularly advise our users to upgrade all the time."

"I don't know how AOL is ever going to let all these instant messenger
users know that they should upgrade," Pond said. "On the site there's
no mention of this problem, there's no release notes about any things
that are fixed. Unless people know to upgrade, they'll stay
vulnerable, and this is the type of software which I can see a year
going by or two years going by before someone will upgrade their
software. And they're going to be vulnerable that whole time."

@stake suggested that users who cannot upgrade easily should uninstall
AIM through the Add/Remove Programs control panel. Alternatively,
registry key settings can be changed to prevent AIM from being
launched by a malicious URL. However, AIM rewrites registry settings
when it is launched, undoing any protective patches unless it is done
through Windows NT or Windows 2000, both of which can enforce access
control on registry keys.

@stake said the following key values should be set to empty:


HKEY_CLASSES_ROOT\aim\shell\open\command
HKEY_CLASSES_ROOT\aimfile\shell\open\command
HKEY_CLASSES_ROOT\AIM.Protocol\CLSID
HKEY_CLASSES_ROOT\AIM.Protocol.1\CLSID.
Users should then change the security permissions on those keys to
READ-ONLY.

Another alternative is to delete the registry key --
HKEY_CLASSES_ROOT\aim\shell\open\command -- following each launch of
AIM.

Environments that utilize application proxies or other filtering tools
can filter out "aim:" URLs at the filtering point.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".