CERT: AOL Radio has high-risk flaw

Summary:The U.S. Computer Emergency Readiness Team has warned about a code execution flaw in the AOL Radio software.

The U.S. Computer Emergency Readiness Team has warned about a code execution flaw in the AOL Radio software.

I'm not sure how many folks use AOL Radio, but AOL still has a lot of eyeballs. If you're one of those AOL users check out the CERT warning.

As for the details, CERT's Will Dorman writes in a warning that the AOLMediaPlaybackControl application has "a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system."

The vulnerability resides in an ActiveX control called AmpX. AOL Radio uses this control to stream audio on Web pages. Dorman notes:

The AOL AmpX ActiveX control, which is provided by AmpX.dll, uses a program called AOLMediaPlaybackControl.exe. The AOLMediaPlaybackControl application contains a stack buffer overflow that is exploitable via the AmpX ActiveX control's AppendFileToPlayList() method.

On the bright side, AOL has fixed the vulnerability in what Dorman calls "an unspecified automatic update." The upshot: If you use AOL Radio make sure you have the AmpX ActiveX control version Alternatively, you can disable the AmpX ActiveX control in Internet Explorer.

Via Ryan Naraine.

Topics: Security, Software Development


Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.