Ivan Arce, Core Security chief technology officer, told on Tuesday that the company discovered the flaw on Aug. Other flaws included remote exploitation of ActiveX controls in the corresponding security zone and cross-site request forgery and token and cookie manipulation using embedded HTML.
They were also able to exploit IE bugs without user interaction and to inject scripting code, such as JavaScript, into the embedded IE control of the AIM client. Researchers at CoreLabs said they exploited this vulnerability to launch several types of attacks on workstations running AIM, including remote execution of arbitrary commands without user interaction.
This permits an attacker to exploit IE without user interaction, or target security configuration weaknesses in the browser. The flaw, which exists in AIM's HTML rendering function that relies on an embedded Internet Explorer (IE) server control, could allow an attacker to deliver malicious HTML code as part of a conversation, according to Core.