AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
BID:25659
Info
AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
| Bugtraq ID: | 25659 |
| Class: | Design Error |
| CVE: |
CVE-2007-4901 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 13 2007 12:00AM |
| Updated: | Oct 10 2007 07:38PM |
| Credit: | Shell, Lone and Lucas Lavarello are credited with the discovery of this issue. |
| Vulnerable: |
AOL Instant Messenger 6.1.41 .2 AOL Instant Messenger Pro AOL Instant Messenger Lite AOL Instant Messenger 6.1.32.1 |
| Not Vulnerable: |
AOL Instant Messenger 6.5.4 .16 |
Discussion
AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
AOL Instant Messenger is prone to a remote script-code-execution vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the notification window of an unsuspecting user. This may help the attacker launch other attacks.
AOL Instant Messenger is prone to a remote script-code-execution vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the notification window of an unsuspecting user. This may help the attacker launch other attacks.
Exploit / POC
AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
An attacker can exploit this issue using AOL Instant Messenger or another compatible chat client.
An attacker can exploit this issue using AOL Instant Messenger or another compatible chat client.
Solution / Fix
AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
Solution:
The vendor released an update to address this issue. Please see the references for more information.
NOTE: Further reports suggest that AOL Instant Messenger 6.5.3.12 is still vulnerable to this issue; Symantec has not confirmed this information.
UPDATE (October 9, 2007): Further testing indicates that AOL Instant Messenger 6.5.4.16 is not vulnerable to this issue. Users are advised to install the latest stable release. Please see the references for details.
Solution:
The vendor released an update to address this issue. Please see the references for more information.
NOTE: Further reports suggest that AOL Instant Messenger 6.5.3.12 is still vulnerable to this issue; Symantec has not confirmed this information.
UPDATE (October 9, 2007): Further testing indicates that AOL Instant Messenger 6.5.4.16 is not vulnerable to this issue. Users are advised to install the latest stable release. Please see the references for details.
References
AOL Instant Messenger Notification Window Remote Script Code Execution Vulnerability
References:
References: