America Online has confirmed that there is a security hole in the
latest versions of its AOL Instant Messenger (AIM) chat program,
corroborating the findings released by an independent security
group on 2 January. AOL has pledged to fix the problem by the end
of this week.
The company has "identified the issue and developed a resolution
that should be deployed in the next day or two," said AOL spokesman
Andrew Weinstein.
The fix will take place on AOL's servers and will not require users
to download patches, he said. Weinstein added that AOL is unaware
of any users being affected by the security problem.
The hole, discovered by internet security group w00w00, takes
advantage of a flaw in the shared game features of AIM. The feature
allows users to invite members of their buddy list to participate
in online games, but could allow an attacker to send malicious code
to the victim's machine.
W00w00 also speculated that the bug could be used to create a worm
similar to the Code Red and Nimda worms that hit Microsoft Internet
Information Services' Web servers in July and October respectively.
In this scenario, the worm could attack vulnerable systems and
spread via the buddy list on the infected PC.
The vulnerability affects users of AIM versions 4.7 and 4.8,
Weinstein said. W00w00 initially agreed but later added that AIM
versions as far back as 4.3 are affected. However, Weinstein said
that the only versions that support the shared game feature where
the vulnerability resides are 4.7 and 4.8.
According to AOL, AIM has more than 100 million registered users.
No figures were available as to how many users have the vulnerable
versions of the software.
Further information:
AOL Time Warner:
www.aoltimewarner.com
w00w00:
www.w00w00.org