AOL Confirms Security Hole in AIM
Flaw could leave PCs vulnerable to malicious code.
Sam Costello, IDG News Service
America Online admits there is a security hole in the latest versions of its AOL Instant Messenger (AIM) chat program, which corroborates findings an independent security group released Wednesday. AOL says it will fix the problem by the end of the week.
AOL has "identified the issue and developed a resolution that should be deployed in the next day or two," says Andrew Weinstein, spokesperson. The fix to the hole will take place on AOL's servers and will not require users to download patches, he says. AOL is unaware of the security problem actually impacting any users, he adds.
Buddy List Flaw
The hole, discovered by the security group W00w00, takes advantage of a flaw in the shared game features of AIM, Weinstein says. The vulnerable feature lets users invite members of their buddy list to participate in online games, but could let an attacker send malicious code to the victim's machine, w00w00 says in its advisory.
The security group also speculates that virus writers could use the bug to create a worm similar to the Code Red and Nimda worms that hit Microsoft's IIS (Internet Information Services) Web servers in July and October, respectively. In this scenario, the worm would attack vulnerable systems and spread via the buddy list on the infected PC, W00w00 says.
Helping Hand?
In a move that could potentially bring such a scenario into reality, W00w00 also posted code on its Web site that would let people use the hole for attacks. Posting full attack code follows full disclosure policy, which has been at the heart of a number of debates in the security community in recent months.
The vulnerability affects users of AIM versions 4.7 and 4.8, Weinstein says. W00w00 initially said the same thing, but later amended its findings in a post to the Bugtraq e-mail list saying that the problem impacts AIM versions as far back as 4.3.
However, AOL's Weinstein says that the only versions of the software that support the shared game feature where the vulnerability resides are versions 4.7 and 4.8.
Although Weinstein did not have exact numbers on hand, he says that AIM has more than 100 million registered users. No numbers were available as to how many users have the vulnerable versions of the software.
Laptop Showcase
Full Windows 7 coverage
- Great year-end deals

for small business! -
Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors) and save up to 200!
-
HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!
- *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.
Dell Laptop Deals
-
Save Hundreds on Dell's Most Popular Laptop Models
Inspiron, Studio and Studio XPS Models all at Steep Discounts!
People who read this also read:
Best Prices on Antivirus Software
Norton Antivirus 2010 (Full Product, 1 User)Price: $17.90
Anti-virus 2010 (OEM Product, 1 User)Price: $21.00
AntiVirus Plus 2010 - 3 Users (Full Product)Price: $11.95
Norton AntiVirus 2009 (Full Product)Price: $18.00
Norton Antivirus 2010 (Full Product, 3 Users)Price: $38.50
AntiVirus 2010 (Full Product)Price: $24.95
- Perfect Printing Solutions Find just the right All-in-One printer for you from HP. Visit the HP Resource Center.
- Lenovo Laptop Showcase Find out how Lenovo IdeaPads and Thinkpads balance performance and portability. Visit the Lenovo Resource Center for more info...
Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage






