NEWS Two security companies are claiming there is a serious vulnerability in AOL's Instant Messenger application that could allow malicious hackers to take control of a user's PC.
According to Danish security firm Secunia and Internet Security Systems, there is a flaw in the 'away' function of AIM - a feature which users can flag up to notify contacts when they are away from their computer.
Reports suggest ISS had already reported the issue to AOL, not wishing to go public with an unpatched threat, but it followed Secunia's 'critical' announcement with its own.
Secunia, which credits Ryan McGeehan with finding the vulnerability, said in a statement: "The vulnerability is caused due to a boundary error within the handling of 'Away' messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long 'Away' message (about 1,024 bytes).
"A malicious website can exploit this via the 'aim:' URI handler by passing an overly long argument to the 'goaway?message' parameter."
In short that all means that if the buffer overflow is executed correctly than a malicious hacker could direct the client PC to a website where more code could be downloaded.
Secunia has said that an updated version of AOL IM that isn't vulnerable to this flaw will be made available, but no details of this were visible on AOL's website at the time of writing.
AOL has so far been unable to comment on the flaw in the UK, referring questions to the US which will be waking up to news of the problem around the time of publication.
Graeme Wearden writes for ZDNet UK
Comments
There are 2 comments. Join the discussion
1. anonymous
So does that mean that since AOL is unwilling to admit fault and if I'm hacked and all of my financial info is stolen I can sue them for mismanagement of their network? Seems to me that AOL cares very little these days about much other than making a profit. Up to and including sending jobs to India where they have no idea of American culture.
I think it's time that AOL start paying attention to the bottom line and that's their customers satisfaction and not their pocket books
2. anonymous
Have AOL ever cared much about customer satisfaction?
Their interpretation of the "bottom line", is of course the usual definition of profit margin.
Let's face it, all instant messaging programs are flawed & vulnerable.
Basically, don't use IM.
You will doubtless find that you can live (more productively),without it.