AOL Instant Messenger "Away" Vulnerability

Discussion in 'other security issues & news' started by ronjor, Aug 9, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Jul 21, 2003
    Ryan McGeehan has reported a vulnerability in AOL Instant Messenger (AIM), which potentially can be exploited by malicious people to compromise a user's system.

    The vulnerability is caused due to a boundary error within the handling of "Away" messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long "Away" message (about 1024 bytes). A malicious website can exploit this via the "aim:" URI handler by passing an overly long argument to the "goaway?message" parameter.

    Successful exploitation may allow execution of arbitrary code on a user's system when e.g. a malicious website is visited with certain browsers.

    The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected.
  2. dog

    dog Guest

    Update/Fix - AOL Instant Messenger "Away" Vulnerability

    AIM Beta Fixes Security Hole
    August 10, 2004
    By Matt Hicks

    America Online Inc. has released a beta version of AOL Instant Messenger that fixes a critical security hole that could open users to remote attack.

    As previously reported, AOL had promised to fix the vulnerability in an upgraded version of AIM. On Tuesday, it made a test version of AIM 5.9 Available for Download for AIM (AOL Instant Messenger)

    Eweek Article
Thread Status:
Not open for further replies.