search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AOL Instant Messenger saves code embedded in image tag to conversation log which could be viewed/executed by a browser

Vulnerability Note VU#541384

Original Release Date: 2002-04-05 | Last Revised: 2002-04-05


Certain Alpha versions of AOL Instant Messenger (AIM), that were leaked, would log errors to a log file. By sending a crafted image file, it may be possible to execute arbitrary script/HTML on a victims browser when they view the log files.


AOL Instant Messenger has the ability to embed images into an instant message. However, if the graphic is not a valid image then an icon will be displayed showing the file type and the image data is saved to the log file. The images are saved in a the following format:

<BINARY><STYLE><DATA ID="1" SIZE="66">Data that would be inside the image</DATA></STYLE></BINARY>

If you were to send an HTML file which included malicious script/HTML code with a image extension that started with </DATA></STYLE></BINARY>, then the script/HTML would be interpreted if logs were saved and viewed with an html browser.

In some Alpha versions of AIM versions 4.4 and later, that were leaked, logs are saved by default to C:\AimLogs\Username\IMLog.htm, and while AIM has a utility to view the logs, clicking directly on the file will launch the victim's default web browser to view it. If you do not have a leaked Alpha version, then you will not be vulnerable to this issue.


An attacker can execute arbitrary script/HTML on the victims machine when the logs are viewed with a web browser.


Upgrade to AIM version 4.7, or any other non-leaked version, which has logging disabled.

Do not use pre-production alpha's, especially ones that have been leaked/stolen. Open the logs in a text-only viewer. You can also configure AIM to not accept any image connections. Additionally, AIM versions 4.4 or higher that support logging, also included a Log Manager. Use the Log Manager to view log files.

Vendor Information


AOL Time Warner Affected

Notified:  October 17, 2001 Updated: January 28, 2002



Vendor Statement

Not really specific to AIM/not an AIM issue. It is not any more of a risk than if someone sent a dangerous web file to someone via an email or via file transfer. AIM does not know whether an invalid image file sent in an IM Image session is dangerous or not. Also, we don't include IM logging in the client right now although it did exist in some internal Alphas that leaked to the public.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Our thanks to Steve Manzuik for the information contained in his posting.

This document was written by Jason Rafail and is based on information contained in Steve Manzuik's posting.

Other Information

CVE IDs: None
Severity Metric: 0.66
Date Public: 2001-01-24
Date First Published: 2002-04-05
Date Last Updated: 2002-04-05 21:26 UTC
Document Revision: 14

Sponsored by CISA.