Flaw opens AOL chat software to intruders
Attackers could bombard PCs using instant messenger's "away" feature. AOL says a fix is imminent.
The problem resides in the chat software's "away" function, which allows people to show their friends that they're not at the computer.
"We have been working on a resolution in tandem with iDefense for more than a month," said Krista Thomas, a spokeswoman for AOL.
The vulnerability has been fixed in the company's new client update beta, which is expected to go live later this week, Thomas added.
News of the vulnerability hit the Web late Monday after security companies Internet Security Systems and Secunia reported that AOL's IM software contained a serious security hole that could allow malicious hackers to take control of a person's PC.
Secunia described the vulnerability as "highly critical." AOL IM has 36 million active users.
"The vulnerability is caused due to a boundary error within the handling of 'Away' messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long 'Away' message" of about 1,024 bytes," Secunia said.
Once the buffer overflow has been executed, a malicious hacker could then direct the client PC to a Web site where more code could be downloaded.
The vulnerability is triggered when an AOL IM user clicks on a malicious hyperlink included in an instant message or embedded in a Web page, according to AOL.
Version 5.5 and earlier versions of AOL IM are vulnerable to attack. The flaw affects all Windows versions of the application, even the instant-messaging software compiled with Microsoft Visual Studio .Net 2003 and stack protection.
AOL and iDefense have been working on the problem since July 12. The online giant and iDefense did not initially disclose the problem in order to allow time to develop a patch before the vulnerability became widely known.
The client update beta due this week will located on AOL's Instant Messenger site. In the meantime, iDefense has provided a workaround that can be used until the new AOL IM beta version is available.
iDefense said it does not yet know of any exploits that take advantage of the vulnerability but warned that the threat should not be taken lightly.
"This is a very serious situation for AOL users at this time," said Ken Dunham, director of malicious code for iDefense. "IM is more dangerous than e-mail. You read e-mail throughout the day. But if your buddy sends you an instant message, you read it instantly. So from a threat metric, it's a whole lot scarier. You can have really fast worms over IM."
Graeme Wearden of ZDNet UK reported from London. CNET News.com's Dawn Kawamoto reported from San Francisco.