AOL has acknowledged a potentially serious security vulnerability affecting users of its popular AOL Instant Messenger software.
iDEFENSE has been working with AOL since 07/12/2004 regarding this issue
to allow the vendor time to implement a patch. However, on 08/09/2004 an
advisory was released by Secunia (http://secunia.com/advisories/12198/)
as the same issue was discovered by another group of researchers. With
the issue is now public, iDEFENSE is proceeding with public disclosure.
AOL has provided the following statement:
"iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows
versions of AOL Instant Messenger (AIM). The impact of this
vulnerability could potentially allow for an attacker to execute
malicious code on Windows platforms. Exploit of this vulnerability
requires that an AIM user click on a malicious URL supplied in an
instant message or embedded in a web page.
Affected Products and Applications
AOL Instant Messenger (AIM) for Windows - All known versions
1. America Online, Inc. recommends that Windows users of AIM upgrade to
the latest beta version to be released on August 9, 2004. This new
version of AIM addresses the vulnerability described herein and can be
obtained via the AOL Instant Messenger portal, www.aim.com.
2. A workaround provided by iDEFENSE is available until users are able
to upgrade to the new beta version.
Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to
responsibly address this issue."
AOL, Yahoo rolling out sender authentication
ISPs AOL and Yahoo plan to begin using technology to verify the source of e-mail messages in coming months, as both companies step up efforts to stop spam e-mail, according to information provided by the companies.
In September, AOL will verify the source of incoming e-mail using a component of Microsoft's Sender ID authentication architecture. Yahoo will use its DomainKeys authentication technology to sign all e-mail coming out of the company's mail servers by the end of 2004, according to spokesmen for the companies. The decisions are part of an industry-wide push to thwart spam and online scams known as "phishing attacks," by improving the ability of ISPs and e-mail providers to verify the source of e-mail messages, according to interviews with executives from e-mail technology companies.