AOL confirms security hole in AIM


AOL confirms security hole in AIM

America Online has confirmed that there is a security hole in the latest versions of its AOL Instant Messenger (AIM) chat program, corroborating the findings released by an independent security group on 2 January. AOL has pledged to fix the problem by the end of this week.

The company has "identified the issue and developed a resolution that should be deployed in the next day or two," said AOL spokesman Andrew Weinstein.

The fix will take place on AOL's servers and will not require users to download patches, he said. Weinstein added that AOL is unaware of any users being affected by the security problem.

The hole, discovered by internet security group w00w00, takes advantage of a flaw in the shared game features of AIM. The feature allows users to invite members of their buddy list to participate in online games, but could allow an attacker to send malicious code to the victim's machine.

W00w00 also speculated that the bug could be used to create a worm similar to the Code Red and Nimda worms that hit Microsoft Internet Information Services' Web servers in July and October respectively. In this scenario, the worm could attack vulnerable systems and spread via the buddy list on the infected PC.

The vulnerability affects users of AIM versions 4.7 and 4.8, Weinstein said. W00w00 initially agreed but later added that AIM versions as far back as 4.3 are affected. However, Weinstein said that the only versions that support the shared game feature where the vulnerability resides are 4.7 and 4.8.

According to AOL, AIM has more than 100 million registered users. No figures were available as to how many users have the vulnerable versions of the software.

Further information:
AOL Time Warner:

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy