A 14-year-old high school student in Florida has discovered a bug that could be used to surreptitiously send malicious computer code to users of America Online's Instant Messenger system on the Internet.
America Online (AOL) spokeswoman Wendy Goldberg confirmed the problem and said the company is working on a solution. It is unclear if anyone has used the program to do harm.
"I don't think anyone's used it yet, but somebody could stumble across it very easily," said Stephen Hemingway, the Tampa high school freshman who discovered the bug.
While American Online is often the center of criticism, public reports of software bugs are fairly unusual for the online giant. It is well known that malicious users on AOL like to try to jam up other users, but their exploits have largely been confined to the online service's proprietary system.
Hemingway said he was studying the Instant Messenger (IM) program when he came across some interesting code: It looked strikingly similar to an Internet Explorer buffer overflow bug that he had read about earlier.
That's when he realized that sophisticated users on AOL could use the IM client to send bugs or other code, including very small viruses, to unsuspecting Netizens.
So Hemingway used the program to send himself some code that would jam his computer. It worked.
Bill Mattocks, proprietor of a small ISP called Computer Solutions in Kenosha, Wisconsin, tested the bug for CNET's NEWS.COM.
Mattocks inserted random code into the program where Hemingway had indicated it could be done and sent it to his IM account on the Internet from his AOL account.
The program, he said, "immediately generated an internal error and crashed. Windows 95 itself became unstable minutes later and the entire machine crashed, as well."
Hemingway also said he was able to make his computer crash. Theoretically, the program could be used to send a small virus, one less than 1,000 bytes large, Hemingway said.
"I actually tried to infect myself with a virus to see if it was possible, but I was unable to find a virus small enough," he said. "I didn't particularly like the idea of giving myself a virus anyway."