Overview
The installer for AOL Instant Messenger contains a vulnerability that weakens the security settings of Microsoft Internet Explorer.
Description
There is a vulnerability in the installer for AOL Instant Messenger (AIM) that silently adds "http://free.aol.com" to the list of Trusted Sites in Microsoft's Internet Explorer (MSIE). The default security level for the Trusted Sites Zone is "Low". According to the description in the MSIE Internet Options dialog, the "Low" security level has the following properties: - Minimal safeguards and warning prompts are provided - Most content is downloaded and run without prompts - All active content can run - Appropriate for sites that you absolutely trust The addition of "http://free.aol.com" to the Trusted Sites Zone may allow AOL to execute arbitrary code on affected Windows hosts. Furthermore, it may be possible for remote attackers to execute arbitrary code by exploiting this vulnerability in combination with a cross-site scripting or DNS spoofing vulnerability. The CERT/CC has verified this vulnerability by installing AIM 4.7.2480 (the latest stable version) on a Windows 98 machine running IE 6.0. We have not yet confirmed the existence of this vulnerability on other combinations of AIM, Windows, and Internet Explorer. |
Impact
This vulnerability weakens the security settings of affected hosts, thus increasing the likelihood that a remote attacker can execute arbitrary code on behalf of the victim. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
Remove the URL from the list of Trusted Sites |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This document was written by Jeffrey P. Lanza.
Other Information
| CVE IDs: | None |
| Severity Metric: | 14.51 |
| Date Public: | 2002-04-08 |
| Date First Published: | 2002-05-08 |
| Date Last Updated: | 2002-05-08 18:49 UTC |
| Document Revision: | 30 |