'Critical' flaw seen in AOL Instant Messenger

by Guest Contributor | Aug 10, 2004 1:14:00 PM

Tags: Guest Contributor

Takeaway: A hacker could use the "Away" message feature to take control of a PC, according to experts.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Graeme Wearden
CNET News.com

Two security companies say that AOL's Instant Messenger application contains a serious vulnerability that could allow malicious hackers to take control of a user's PC.

According to Secunia and Internet Security Systems, there is a flaw in the "Away" function of the AOL messaging software, which allows users to show their friends that they're not at the computer.

"The vulnerability is caused due to a boundary error within the handling of 'Away' messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long 'Away' message" of about 1,024 bytes, Secunia said.

Once the buffer overflow has been executed, a malicious hacker could then direct the client PC to a Web site where more code could be downloaded.

Secunia has said that an updated version of AOL IM that isn't vulnerable to this flaw will be made available, but no details were visible on AOL's Web site at the time of writing.

AOL UK was not immediately able to supply more information.

Graeme Wearden of ZDNet UK reported from London.