AOL Patches AIM Security Flaw

AOL Time Warner Thursday applied a server-side patch to a security flaw in the 4.7 and 4.8 versions of its AOL
Instant Messenger (AIM).

The fix plugs a hole that could potentially have allowed destructive Internet worms to infect AIM’s 100 million+ users. Because the
patch is a server-side fix, AIM users will not have to download it.

“To our knowledge, the issue has not affected any AIM users,” AOL spokesman Andrew Weinstein told Wednesday.

Information about the vulnerability first surfaced Wednesday with an advisory from the non-profit security research group w00w00
Security Development. At the time, the group said the flaw, which consisted of a buffer overflow in the code that parses a game
request in AIM’s “Play Game with Buddy” feature, would allow remote penetration of a victim’s system without any indication as to
who had performed the attack. Such an attack could download itself off of the Web and then use AIM’s “buddy list” to attack the
victim’s associates.

News Around the Web