Article

AOL, Yahoo, Trillian IM applications under threat

Bill Brenner

Vulnerability researchers are warning instant messaging users to beware of flaws in AOL Instant Messenger (AIM), Trillian and Yahoo Messenger attackers could exploit to run malicious code on targeted machines or cause a denial of service.

Nate Mcfeters, Billy Rios and Raghav Dube have released a

Requires Free Membership to View

cross application scripting and uniform resource identifier (URI) Uniform Resource Identifier exploitation demonstration affecting AIM and Trillian. The researchers said the flaws surface when specially crafted URIs using the registered URI 'aim:' protocol are processed by the application's 'aim.dll' library when a malicious URI is accessed in a Web browser and passed to the application.

Danish vulnerability clearinghouse Secunia tested the research and described two flaws in its Trillian "aim://" URI Handler SA26086 advisory:

Secunia said that the aim:// URI handler does not verify certain parts of the "aim://" URI before writing it into a file specified via the unverified "ini=" parameter, Secunia explained, adding, "This can be exploited to write a batch file into the Windows 'Start-up' folder that starts an attacker-defined application by tricking a user into following a specially crafted 'aim://' URI."

A boundary error also exists within the processing of "aim://" URIs attackers could exploit to cause a buffer overflow by tricking a user into following a specially crafted "aim://" URI.

Secunia confirmed these flaws could ultimately be used to run malicious code on targeted computers.

Meanwhile, researcher Rajesh Sethumadhavan has released advisory XD100002 regarding a vulnerability attackers could exploit in Yahoo Messenger to launch malicious code or cause a denial of service.

The application fails to perform adequate boundary checks on user-supplied data, he said. Specifically, the problem is in the "email address" text box of the address book.

Cupertino, Calif.-based Symantec Corp. offered customers of its DeepSight threat management service a list of steps they can take to minimize the threat. They include running all software as a nonprivileged user with minimal access rights, deploying intrusion detection systems to monitor network traffic for malicious activity; not accepting or executing files from untrusted sources; and implementing multiple redundant layers of security.