Menu
 Home
 Local News    
 Global News
 Technical & Product News
 Opinions
 Contact Us
 Subscribe/Unsubscribe
 
 Publications
 ICT World
 Cable Talk
 Computing S.A.
 Network World
 The Channel
 IT users handbook
 
 Sponsors
 ICT World Company Directory
 
 Partners
 CareerJunction
 Johnnic Mag Division
 
 Privacy Policy
 Privacy Policy
 
   
   

AOL "I am away' message flaw deemed critical

Date: 10 August 2004
(ICT World)
Category: Technical & Product News
Paul Roberts, IDG News Service
Computer security companies are warning users of America Online's Instant Messenger (AIM) software that a serious security hole in the product could allow remote attackers to execute malicious code on computers that run the instant messaging software.

America Online (AOL) confirmed the existence of the software vulnerability in an AIM feature that allows users to post automatic replies, such as "I am away" messages, to instant messages (IMs) that they receive. The company is planning to release a test version of the AIM client later this week, which will fix the hole, says Andrew Weinstein, an AOL spokesman.

 

The security hole was discovered by iDefense of Reston, Virginia, a computer security intelligence company. A flaw in an AIM component called the "goaway" function allows an attacker to cause a buffer overrun on machines running AIM. Attackers could trigger the flaw by feeding a large amount of data to the goaway function, possibly using a uniform resource locator (URL) embedded in an instant message to the user.

 

In a buffer overrun, space in a computer's memory allocated to hold data is exceeded, allowing the attacker to crash vulnerable applications or place and run their own code on the vulnerable computer.

 

All known versions of AIM for Microsoft Windows are affected, and, if successfully exploited, the AIM away message vulnerability would allow remote attackers to run code with the privileges of the user who launched the AIM application, iDefense says.

 

However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein says.

 

The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he says.

AOL encourages AIM users to switch to the beta AIM client when it is released. Alternatively, iDefense recommends changing a Windows configuration setting to protect systems from exploitation. (See: http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities.)