Any hacker in the world can use your AIM messenger to do a lot more than send you messages.
According to ZDNet blog writer Ryan Nariane: The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages.
The weakness allows any kind of worm or malicious (unsafe) code to run. Just having AIM open and accepting messages is enough to infect your computer with all kinds of nasties. This is very serious. For that reason you should uninstall AIM immediately and use a safer IM client such as Pidgin (formerly known as GAIM, until AOL sued them for it) or Trillian.
AOL has patched the AIM clients affected (but this weakness affects factory installs of AIM as well, which won’t be patched until they’re used). AOL claims the patches will work until the code is fixed on Oct. 16, but Core Research (which discovered the flaw) says that the patches are easily gotten around by hackers.
A demo given by security researcher Aviv Raff is quite telling. Aviv was able to use the weakness in the way AIM supports the display of HTML code in Internet Explorer to open Ryan’s calculator just by sending him an IM.
According to The Globe and Mail’s Tech Blog:
The flaw exists in the most recent versions of AIM 6.1, and in 6.2, which is still in beta-testing mode. Core Security also found it in the business-focused AIM Pro and in AIM Lite. The problem does not crop up in AIM 5.9, an older edition that many users still have, or in version 6.5, which also is in beta mode.
If you wonder why I’ve never written about weaknesses in AIM before (it’s famous for these sorts of issues) it’s because:
1) I wouldn’t have time to keep up with the flaws security researchers find in it nearly every week
2) This week’s flaw is very serious, so I’m making an exception to Reason 1), and…
3) I hate to say it, but despite my constant inner fog of anti-AOLness, I always kind of liked AIM. I used to message with someone I cared about on it, so it has a bit of sentimental value.
That said, let’s get all this AIM crap uninstalled.