Vulnerability Note VU#744139

AOL Instant Messenger installer adds "http://free.aol.com" to Trusted Sites Zone in Microsoft Internet Explorer

Original Release date: 08 May 2002 | Last revised: 08 May 2002

Overview

The installer for AOL Instant Messenger contains a vulnerability that weakens the security settings of Microsoft Internet Explorer.

Description

There is a vulnerability in the installer for AOL Instant Messenger (AIM) that silently adds "http://free.aol.com" to the list of Trusted Sites in Microsoft's Internet Explorer (MSIE). The default security level for the Trusted Sites Zone is "Low". According to the description in the MSIE Internet Options dialog, the "Low" security level has the following properties:

    - Minimal safeguards and warning prompts are provided
    - Most content is downloaded and run without prompts
    - All active content can run
    - Appropriate for sites that you absolutely trust


The addition of "http://free.aol.com" to the Trusted Sites Zone may allow AOL to execute arbitrary code on affected Windows hosts. Furthermore, it may be possible for remote attackers to execute arbitrary code by exploiting this vulnerability in combination with a cross-site scripting or DNS spoofing vulnerability.

The CERT/CC has verified this vulnerability by installing AIM 4.7.2480 (the latest stable version) on a Windows 98 machine running IE 6.0. We have not yet confirmed the existence of this vulnerability on other combinations of AIM, Windows, and Internet Explorer.

Impact

This vulnerability weakens the security settings of affected hosts, thus increasing the likelihood that a remote attacker can execute arbitrary code on behalf of the victim.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Remove the URL from the list of Trusted Sites

Affected users can remove "http://free.aol.com" from the list of Trusted Sites in Internet Explorer by taking the following actions:

    - Select "Tools... Internet Options..." from the menu bar
    - Click on the "Security" tab
    - Select the "Trusted Sites" icon
    - Click the "Sites..." button
    - Select "http://free.aol.com" from the box labeled "Web sites:" and click the "Remove" button

Please note that subsequent installation of AIM will cause the URL to be added again.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AOL Time WarnerAffected02 May 200202 May 2002
MicrosoftNot Affected02 May 200208 May 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: Unknown
  • Date Public: 08 Apr 2002
  • Date First Published: 08 May 2002
  • Date Last Updated: 08 May 2002
  • Severity Metric: 14.51
  • Document Revision: 30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.