You are here: silicon.com > Software > Security Strategy

Security Strategy

'Critical' AOL IM flaw exposed

PCs could be taken over by hackers...

By Will Sturgeon and Graeme Wearden

Published: 10 August 2004 13:35 BST

Two security companies are claiming there is a serious vulnerability in AOL's Instant Messenger application that could allow malicious hackers to take control of a user's PC.

According to Danish security firm Secunia and Internet Security Systems, there is a flaw in the 'away' function of AIM - a feature which users can flag up to notify contacts when they are away from their computer.

Reports suggest ISS had already reported the issue to AOL, not wishing to go public with an unpatched threat, but it followed Secunia's 'critical' announcement with its own.

Secunia, which credits Ryan McGeehan with finding the vulnerability, said in a statement: "The vulnerability is caused due to a boundary error within the handling of 'Away' messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long 'Away' message (about 1,024 bytes).

"A malicious website can exploit this via the 'aim:' URI handler by passing an overly long argument to the 'goaway?message' parameter."

In short that all means that if the buffer overflow is executed correctly than a malicious hacker could direct the client PC to a website where more code could be downloaded.

Secunia has said that an updated version of AOL IM that isn't vulnerable to this flaw will be made available, but no details of this were visible on AOL's website at the time of writing.

AOL has so far been unable to comment on the flaw in the UK, referring questions to the US which will be waking up to news of the problem around the time of publication.

Graeme Wearden writes for ZDNet UK

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

ASP.Net C# Ecommerce Developer Birmingham city centre

The aim of the work is to maintain and update their existing E-Commerce / Database website, and to produce further quality E-commerce database-driven ...

Security Consultant Ethical Hacking / Penetration Testing - London

Responsibilities: - Deliver security assessment services including network scanning, vulnerability testing, penetration testing, search engine ...

PC Support Engineer

Please visit our website by clicking apply below quoting reference 71829. PC Support Engineer Band 5 19,683 - 25,424 p.a. The PC Support Engineer is ...

CIO Agenda 2008
The exclusive silicon.com CIO Agenda 2008 survey looks at the CIO's tech shopping list for the year, examines whether IT budgets are rising or falling and reveals what the pain points are for tech chiefs this year. Find out more in our latest special report.





Quick Sitemap Links: