Vulnerability Note VU#744139
AOL Instant Messenger installer adds "http://free.aol.com" to Trusted Sites Zone in Microsoft Internet Explorer
The installer for AOL Instant Messenger contains a vulnerability that weakens the security settings of Microsoft Internet Explorer.
There is a vulnerability in the installer for AOL Instant Messenger (AIM) that silently adds "http://free.aol.com" to the list of Trusted Sites in Microsoft's Internet Explorer (MSIE). The default security level for the Trusted Sites Zone is "Low". According to the description in the MSIE Internet Options dialog, the "Low" security level has the following properties:
- Minimal safeguards and warning prompts are provided
The addition of "http://free.aol.com" to the Trusted Sites Zone may allow AOL to execute arbitrary code on affected Windows hosts. Furthermore, it may be possible for remote attackers to execute arbitrary code by exploiting this vulnerability in combination with a cross-site scripting or DNS spoofing vulnerability.
The CERT/CC has verified this vulnerability by installing AIM 4.7.2480 (the latest stable version) on a Windows 98 machine running IE 6.0. We have not yet confirmed the existence of this vulnerability on other combinations of AIM, Windows, and Internet Explorer.
This vulnerability weakens the security settings of affected hosts, thus increasing the likelihood that a remote attacker can execute arbitrary code on behalf of the victim.
The CERT/CC is currently unaware of a practical solution to this problem.
Remove the URL from the list of Trusted Sites
- Click on the "Security" tab
- Select the "Trusted Sites" icon
- Click the "Sites..." button
- Select "http://free.aol.com" from the box labeled "Web sites:" and click the "Remove" button
Please note that subsequent installation of AIM will cause the URL to be added again.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|AOL Time Warner||Affected||02 May 2002||02 May 2002|
|Microsoft||Not Affected||02 May 2002||08 May 2002|
CVSS Metrics (Learn More)
This document was written by Jeffrey P. Lanza.
- CVE IDs: Unknown
- Date Public: 08 Apr 2002
- Date First Published: 08 May 2002
- Date Last Updated: 08 May 2002
- Severity Metric: 14.51
- Document Revision: 30
If you have feedback, comments, or additional information about this vulnerability, please send us email.