ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

AOL: Fix for critical IM flaw due this week

Graeme Wearden ZDNet.co.uk

Published: 10 Aug 2004 15:20 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

AOL acknowledged on Tuesday that its Instant Messenger client is vulnerable to a buffer-overflow attack, and promised that a fix would be available to users within days.

"We have been working on a resolution in tandem with iDefense for more than a month," said Krista Thomas of AOL's corporate communications division.

"The issue has been fixed in our new client update beta, which will go live later this week," Thomas added.

News of the vulnerability hit the Web late on Monday after Internet Security Systems and Secunia reported that AOL IM contained a serious security hole that could allow malicious hackers to take control of a user's PC.

"The vulnerability is caused due to a boundary error within the handling of 'away' messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long 'away' message (about 1,024 bytes). A malicious Web site can exploit this via the 'aim:' URI handler by passing an overly long argument to the 'goaway?message' parameter," reported Secunia. Secunia described the vulnerability as "highly critical".

Once the buffer overflow has been executed, a malicious hacker could then direct the client PC to a Web site where more code could be downloaded.

Thomas said that AOL is grateful to "Matt Murphy and iDefense for their assistance to responsibly address this issue."

The client update beta due this week will be located at AOL's Instant Messenger site. In the meantime, iDefense has provided a workaround that can be used until the new AOL IM beta version is available.

iDefense said it does not yet know of any exploits that take advantage of the vulnerability but warned that the threat should not be taken lightly.

"This is a very serious situation for AOL users at this time," said Ken Dunham, director of malicious code for iDefense. "IM is more dangerous than email. You read email throughout the day. But if your buddy sends you an instant message, you read it instantly. So, from a threat metric, it's a whole lot scarier. You can have really fast worms over IM."

CNET News.com's Dawn Kawamoto contributed to this report.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
52 out of 109 people found this useful


Talkback

Post a comment


Full Talkback thread

1 comment

  1. my screen is all pink . How does it get to be whit... patricia picquelle

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

C# ASP.NET Developer Required URGENTLY!!!!!!

Are you an experienced developer using C# ASP.NET? Have you completed numerous contracts in web site development using these technologies? If so, ...

C# ASP.Net Developer - Retail - Hertfordshire - 45K - Permanent

.Net .Net .Net .Net We require a C# ASP.Net Developer is required to join an exciting team working on development of a successful e-commerce web site ...

Security Consultant Ethical Hacking / Penetration Testing - London

Responsibilities: - Deliver security assessment services including network scanning, vulnerability testing, penetration testing, search engine ...

Featured Talkback

What was achieved there is recognised to be of fundamental importance to both winning the war (Churchill visited to say 'thank you' to them) and the development of the computer. Maybe Bill Gates doesn't want to support this museum because it underlines where electronic computing started i.e. here, not the U.S.

By: 1000103773

Read full story:
Bletchley Park faces bleak future

Sentry Posts Blog

Mobile Security Expert: Your Camera Ph...

Mobile Security Expert: Your Camera Phone Got Hacked Author: Eric Everson, Founder MyMobiSafe.com Have you ever heard someone say “I’d like to be a fly on the wall in that room.”?... More

Post a comment

Skype - The Roach Motel

Here is an interesting article from The National Business Review, pointing out once again that you can never delete a Skype account. Never. Period. This is something I am familiar... More

Post a comment

The vPhone: Why Visa Should Go Mobile

The vPhone: Why Visa Should Go Mobile Author: Eric Everson, Founder MyMobiSafe.com With all of the success of Apple’s iPhone, there is a growing case to support a company like Visa... More

Post a comment

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers