Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Critical Security Flaw Spotted In AOL Instant Messenger

A pair of security firms Monday reported a serious vulnerability in America Online's instant messaging client that could expose users to attack.

Both Internet Security Systems, of Reston, Va., and Copenhagen-based Secunia warned that systems running the Windows editions of AOL Instant Messenger (AIM) can be loaded with malicious code if they're enticed to specially-crafted Web sites.

The problem stems from AIM's "Away" function, which displays a user's current online status to other contacts. The flaw could be exploited by attackers to create a buffer overflow on the machine, then once the system's compromised, feed it other code or a Trojan horse, which could give the hacker later access to the PC.

The most likely attack vector would be a link embedded in an instant message that leads users to a hacker's Web site.

Secunia broke the new first, and called the vulnerability "critical." Internet Security Systems (ISS), which had notified AOL of the vulnerability last month but had held off publicly announcing the AIM hole, followed suit.

  • 1