Youve Got Flaw AOL

Updated: America Online posts a hotfix to correct a buffer overflow vulnerability in its "You've Got Pictures" photo album service.

A critical security flaw in America Online Inc.s "Youve Got Pictures" service could put millions of users at risk of PC takeover attacks, according to a warning from the US-CERT (U.S. Computer Emergency Readiness Team).

In an advisory, US-CERT described the flaw as a buffer overflow in an AOL YPG Picture Finder Tool ActiveX control (YGPPicFinder.DLL) that may be exploited to execute arbitrary code or cause a denial-of-service condition.

The vulnerability affects AOL 8.0, AOL 8.0 Plus and AOL 9.0 Classic. In addition, the vulnerable control was distributed via the "Youve Got Pictures" Web site prior to 2004.

/zimages/3/28571.gifAOL revamps Youve Got Pictures with portal play. Click here to read more.

America Online spokesman Andrew Weinstein said the flaw has been fixed since October 2005 and was pushed out as an "automatic update" to the vast majority of AOL users. "Only a tiny fraction of our members should be currently vulnerable to the flaw," Weinstein told eWEEK.

The Dulles, Va.-based AOL recommends that subscribers upgrade to AOL 9.0 Optimized and AOL 9.0 Security Edition to protect against the flaw.

The company also issued a hotfix for existing software versions to correct the issue.

A separate alert from FrSIRT (French Security Incident Response Team), rates the bug as "critical" and warned that the vulnerable ActiveX control does not properly handle overly long input strings.

"[This] could be exploited by remote attackers to compromise a vulnerable system by convincing a user to visit a specially crafted Web page."

Security alerts aggregator Secunia Inc. also rates the vulnerability as "highly critical."

Editors Note: This story was updated to include information and comments from America Online.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.