AOL: Fix for critical IM flaw due this week

AOL has admitted that there's a flaw in its Instant Messenger application, but says a fixed version is just days away
Written by Graeme Wearden, Contributor
AOL acknowledged on Tuesday that its Instant Messenger client is vulnerable to a buffer-overflow attack, and promised that a fix would be available to users within days.

"We have been working on a resolution in tandem with iDefense for more than a month," said Krista Thomas of AOL's corporate communications division.

"The issue has been fixed in our new client update beta, which will go live later this week," Thomas added.

News of the vulnerability hit the Web late on Monday after Internet Security Systems and Secunia reported that AOL IM contained a serious security hole that could allow malicious hackers to take control of a user's PC.

"The vulnerability is caused due to a boundary error within the handling of 'away' messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long 'away' message (about 1,024 bytes). A malicious Web site can exploit this via the 'aim:' URI handler by passing an overly long argument to the 'goaway?message' parameter," reported Secunia. Secunia described the vulnerability as "highly critical".

Once the buffer overflow has been executed, a malicious hacker could then direct the client PC to a Web site where more code could be downloaded.

Thomas said that AOL is grateful to "Matt Murphy and iDefense for their assistance to responsibly address this issue."

The client update beta due this week will be located at AOL's Instant Messenger site. In the meantime, iDefense has provided a workaround that can be used until the new AOL IM beta version is available.

iDefense said it does not yet know of any exploits that take advantage of the vulnerability but warned that the threat should not be taken lightly.

"This is a very serious situation for AOL users at this time," said Ken Dunham, director of malicious code for iDefense. "IM is more dangerous than email. You read email throughout the day. But if your buddy sends you an instant message, you read it instantly. So, from a threat metric, it's a whole lot scarier. You can have really fast worms over IM."

CNET News.com's Dawn Kawamoto contributed to this report.

Editorial standards