Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

AOL Instant Messenger Predictable File Location Weakness

Feb 19, 2004 11:04PM PST

Secunia Advisory: SA10930
Release Date: 2004-02-20
Critical: Not critical
Impact:
Where: From remote

Software: AOL Instant Messenger 4.x
AOL Instant Messenger 5.x

Description:
Michael Evanchik has reported a weakness in AOL Instant Messenger, which potentially can be exploited in combination with known browser vulnerabilities and functionality to compromise users' systems.

The problem is that AOL Instant Messenger reportedly creates buddy icons in predictable locations in which arbitrary script code can be placed.

This can be used to place malicious content in a predictable file on a user's system. Combined with certain known browser vulnerabilities and functionality, which allows arbitrary files on a user's system to be read, this may allow execution of script code in context of the "My Computer" security zone.

The weakness has been reported in versions 4.3 through 5.5. Other versions may also be affected.

Solution:
Disable use of buddy icons ("My Aim" > "Edit Options" > "Edit Preferences" > "Buddy Icons").

http://secunia.com/advisories/10930/

Discussion is locked