Michael Evanchik has reported a weakness in AOL Instant Messenger, which potentially can be exploited in combination with known browser vulnerabilities and functionality to compromise users' systems.
The problem is that AOL Instant Messenger reportedly creates buddy icons in predictable locations in which arbitrary script code can be placed.
This can be used to place malicious content in a predictable file on a user's system. Combined with certain known browser vulnerabilities and functionality, which allows arbitrary files on a user's system to be read, this may allow execution of script code in context of the "My Computer" security zone.
The weakness has been reported in versions 4.3 through 5.5. Other versions may also be affected.
Solution: Disable use of buddy icons ("My Aim" > "Edit Options" > "Edit Preferences" > "Buddy Icons").
Provided and/or discovered by: Michael Evanchik
Original Advisory: http://www.MichaelEvanchik.com/security/microsoft/ie/aim/aim.txt
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org