'Critical' AOL IM flaw exposed

Two security companies are claiming there is a serious vulnerability in AOL's Instant Messenger application that could allow malicious hackers to take control of a user's PC.

According to Danish security firm Secunia and Internet Security Systems, there is a flaw in the 'away' function of AIM - a feature which users can flag up to notify contacts when they are away from their computer.

Reports suggest ISS had already reported the issue to AOL, not wishing to go public with an unpatched threat, but it followed Secunia's 'critical' announcement with its own.

Secunia, which credits Ryan McGeehan with finding the vulnerability, said in a statement: "The vulnerability is caused due to a boundary error within the handling of 'Away' messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long 'Away' message (about 1,024 bytes).

"A malicious website can exploit this via the 'aim:' URI handler by passing an overly long argument to the 'goaway?message' parameter."

In short that all means that if the buffer overflow is executed correctly than a malicious hacker could direct the client PC to a website where more code could be downloaded.

Secunia has said that an updated version of AOL IM that isn't vulnerable to this flaw will be made available, but no details of this were visible on AOL's website at the time of writing.

AOL has so far been unable to comment on the flaw in the UK, referring questions to the US which will be waking up to news of the problem around the time of publication.

Graeme Wearden writes for ZDNet UK