AOL confirms security hole in AIM

News

AOL confirms security hole in AIM

America Online has confirmed that there is a security hole in the latest versions of its AOL Instant Messenger (AIM) chat program, corroborating the findings released by an independent security group on 2 January. AOL has pledged to fix the problem by the end of this week.

The company has "identified the issue and developed a resolution that should be deployed in the next day or two," said AOL spokesman Andrew Weinstein.

The fix will take place on AOL's servers and will not require users to download patches, he said. Weinstein added that AOL is unaware of any users being affected by the security problem.

The hole, discovered by internet security group w00w00, takes advantage of a flaw in the shared game features of AIM. The feature allows users to invite members of their buddy list to participate in online games, but could allow an attacker to send malicious code to the victim's machine.

W00w00 also speculated that the bug could be used to create a worm similar to the Code Red and Nimda worms that hit Microsoft Internet Information Services' Web servers in July and October respectively. In this scenario, the worm could attack vulnerable systems and spread via the buddy list on the infected PC.

The vulnerability affects users of AIM versions 4.7 and 4.8, Weinstein said. W00w00 initially agreed but later added that AIM versions as far back as 4.3 are affected. However, Weinstein said that the only versions that support the shared game feature where the vulnerability resides are 4.7 and 4.8.

According to AOL, AIM has more than 100 million registered users. No figures were available as to how many users have the vulnerable versions of the software.

Further information:
AOL Time Warner: www.aoltimewarner.com
w00w00: www.w00w00.org

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy