CVE-2007-4901

Name of the Vulnerable Software and Affected Versions: AOL Instant Messenger (AIM) version 6.1.41.2 AOL Instant Messenger (AIM) version 6.2.32.1 AIM Pro (affected versions not specified) AIM Lite (affected versions not specified)

Description: The issue concerns the embedded Internet Explorer server control in AOL Instant Messenger, which does not properly constrain the use of mshtml.dll's web script and HTML functionality for incoming instant messages. This allows remote attackers to place HTML into unexpected contexts or execute arbitrary code. For example, it is possible to write arbitrary HTML to a notification window, and write contents of arbitrary local image files to this window via IMG SRC.

Recommendations: For AOL Instant Messenger (AIM) version 6.1.41.2, consider disabling the embedded Internet Explorer server control until a patch is available. For AOL Instant Messenger (AIM) version 6.2.32.1, consider disabling the embedded Internet Explorer server control until a patch is available. For AIM Pro, at the moment, there is no information about a newer version that contains a fix for this issue. For AIM Lite, at the moment, there is no information about a newer version that contains a fix for this issue.