Code Execution Flaw Haunts AOL Radio
The U.S. Computer Emergency Readiness Team has issued a high-risk warning for a serious security flaw affecting users of America Online's AOL Radio software.
The vulnerability is described as a stack buffer overflow that could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The US-CERT warning, written by vulnerability analyst Will Dormann, states the bug exists in the AmpX ActiveX control used by AOL Radio to handle streaming audio in Web pages.
"The AOL AmpX ActiveX control, which is provided by AmpX.dll, uses a program called AOLMediaPlaybackControl.exe. The AOLMediaPlaybackControl application contains a stack buffer overflow that is exploitable via the AmpX ActiveX control's AppendFileToPlayList() method."
A malicious hacker could trick a user to load a booby-trapped HTML document (Web page or e-mail message/attachment) to load malware or take complete control over a Windows computer running AOL Radio, Dormann said.
America Online has not publicly acknowledged the issue, but Dormann said the flaw was addressed in an "unspecified automatic update" that removed the AmpX control and AOLMediaPlaybackControl.exe.
Users unable to apply an update should disable the AmpX ActiveX control in Internet Explorer, Dormann said.