Critical Bug Found in AOL's AIM Buffer Overflow Flaw Reported, Patch Expected Later This Week Ryan Naraine
A buffer overflow flaw in America Online's flagship AIM instant messaging platform could put millions of users at risk of computer takeover, security researchers warned today.
The vulnerability, first discovered by iDefense, could allow a malicious hacker to use the "Away Message" feature to take control of a user's machine. Secunia rates the flaw as "highly critical."
AOL spokesman Andrew Weinstein confirmed the bug could be exploited on AIM versions 5.5 and lower. The company plans to release an update later this week to correct the issue.
"The vulnerability specifically exists due to insufficient bounds checking on user-supplied values passed to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler. A long message buffer will overwrite values stored on the stack and may be used to overwrite a Structured Exception Handler (SEH) pointer," iDefense said in an alert.
The iDefense advisory was hurriedly issued after Secunia published an alert claiming that AOL was contacted about the bug but had not responded.
Weinstein told internetnews.com the company has been working on a resolution in tandem with iDefense for more than a month.
"iDefense reported this to us a month ago. We are working with them in a responsible way to address this," Weinstein said.
He made it clear that an exploit could only be successful if a user actively clicks on a URL in an instant message conversation.
"We always caution users to be careful before clicking on links received in IMs."
