AOL Fixes AIM Flaw

Security researchers have discovered a buffer overflow vulnerability in the ubiquitous AOL Instant Messenger program that enables a remote attacker to execute code on vulnerable machines.

AOL Time Warner Inc.s AOL unit on Thursday said it has fixed a flaw in its popular Instant Messenger program that could have enabled an attacker to take control of another users computer. The fix was installed on AOLs AIM servers and does not require users to download a patch.

"I figured they would fix it on the server side. Relying on users to upgrade is a problem," said Chris Wysopal, director of research and development at @stake Inc., a security consultancy in Cambridge, Mass. "The whole threat was that a worm could be written. If you know someones screen name, you can take over their PC. Someone whos writing a worm would just need to know a bunch of screen names, and then it would spread through the Buddy Lists."

The flaw affects Version 4.7.2480 of AIM, as well as the 4.8.2616 beta.

The vulnerability, which was disclosed on two security mailing lists earlier this week, lies in the way that the AIM client parses a game request from another user, according to an advisory published by w00w00 Security Development, the security research group that discovered the flaw.

When an attacker sends a specially crafted message to another user, the message can overrun the buffer space that is allotted for such requests and allow the attacker to execute whatever code he chooses to embed in the message. An exploit for the vulnerability is already available, and Matt Conover, a member of w00w00, said the exploits payload can be several thousand lines long, which leaves plenty of space for an attacker to embed his own malicious code.

AIM is by far the most popular of the free instant-messaging clients available on the Internet, with more than 100 million users worldwide. Researchers have found other security problems with the client in the past, but none as serious as this most recent flaw, Conover said.

"This is a remote buffer overflow, and so an attacker could do just about anything: have the exploit download a program off the Internet and execute it, run a command, etc.," said Conover. "The potential is enormous. I have not seen it exploited to its full potential yet. I have seen people using it to simply crash AOL Instant Messenger."

A member of w00w00 discovered the vulnerability within the last three weeks and contacted AOL Time Warner Inc.s AOL Instant Messenger group and security team, but received no response. The group decided to release the information it had on the problem without the availability of a patch, it said, because "it is illegal to reverse engineer the AIM executable, so we are unable to provide a patch which will modify it."