A buffer overflow flaw in America Online’s flagship AIM
instant messaging platform could put millions of users at risk of computer
takeover, security researchers warned on Monday.
The vulnerability, first discovered by iDefense,
could allow a malicious hacker to use the
“Away Message” feature to take control of a user’s machine. Secunia rates
the flaw as “highly critical.”
AOL spokesman Andrew Weinstein confirmed the bug could be exploited on
AIM versions 5.5 and lower. The company plans to release an update later
this week to correct the issue.
“The vulnerability specifically exists due to insufficient bounds
checking on user-supplied values passed to the ‘goaway’ function of the AOL
Instant Messenger ‘aim:’ URI handler. A long message buffer will overwrite
values stored on the stack and may be used to overwrite a Structured
Exception Handler (SEH) pointer,” iDefense said in an alert.
The iDefense advisory was hurriedly issued after Secunia published an alert claiming
that AOL was contacted about the bug but had not responded.
Weinstein told internetnews.com the company was working on a
resolution in tandem with iDefense for more than a month.
“iDefense reported this to us a month ago. We are working with them in a responsible
way to address this,” Weinstein said.
He made it clear that an exploit could only be successful if a user actively
clicks on a URL in an instant message conversation.
“We always caution users
to be careful before clicking on links received in IMs.”