AOL has acknowledged a potentially serious security vulnerability affecting users of its popular AOL Instant Messenger software.
iDEFENSE has been working with AOL since 07/12/2004 regarding this issue to allow the vendor time to implement a patch. However, on 08/09/2004 an advisory was released by Secunia (http://secunia.com/advisories/12198/) as the same issue was discovered by another group of researchers. With the issue is now public, iDEFENSE is proceeding with public disclosure.
AOL has provided the following statement:
“iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows versions of AOL Instant Messenger (AIM). The impact of this vulnerability could potentially allow for an attacker to execute malicious code on Windows platforms. Exploit of this vulnerability requires that an AIM user click on a malicious URL supplied in an instant message or embedded in a web page.
Affected Products and Applications
AOL Instant Messenger (AIM) for Windows – All known versions
1. America Online, Inc. recommends that Windows users of AIM upgrade to the latest beta version to be released on August 9, 2004. This new version of AIM addresses the vulnerability described herein and can be
obtained via the AOL Instant Messenger portal, www.aim.com.
2. A workaround provided by iDEFENSE is available until users are able to upgrade to the new beta version.
Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to responsibly address this issue.”