You've Got Problems: AOL Patches Photo Flaw

America Online users may want to upgrade to the latest version of the company's software following the discovery of a critical flaw in the AOL suite of client software.

The bug, which was reported earlier this week on the FrSIRT (French Security Incident Response Team) Web site could be used by attackers to run unauthorized software on an unpatched computer.

The flaw concerns an ActiveX control in AOL's YGP Picture Finder Tool, used by AOL's You've Got Pictures photo-sharing service. It is found in several versions of AOL's suite, including AOL 8.0, 8.0+, and 9.0 Classic. Attackers could exploit this bug to seize control of an unpatched system by tricking users into visiting a specially crafted Web page, the FrSIRT alert says.

A stand-alone version of You've Got Pictures that is not bundled with the AOL client suite is not affected by the vulnerability, AOL says.

Fix Issued

Though the bug was publicly disclosed this week, the security researcher who discovered it, Richard M. Smith, had reported the problem to AOL several months earlier, says AOL spokesperson Andrew Weinstein. "We had the issue brought to our attention around July, and we had a fix put into place and pushed that out to our of all members who logged on over a four-week period from October to November," he says.

Members who did not log into AOL during this period last year have not received the patch, however, and are encouraged to download a more recent version of the client suite or apply a hotfix patch.

"If someone is worried that they didn't log on over the course of early October to early November, and they are on an earlier version than AOL 9.0 Optimized, then they should download the hotfix," Weinstein says.

AOL is not aware of any software in circulation that can be used to exploit the code, Weinstein adds. "Given that the affected population is so small, I would be surprised to see any exploits."