Thanks go to NewOrder for the heads up on yet another flaw, this time in AOL's IM chat program.
A security flaw in AOL's popular online chat program could allow a remote attacker silently to penetrate the computer of users of the software, security experts said today.
The vulnerability in AOL Instant Messenger (AIM) for Windows could enable a malicious person to write a self-propagating program, or "worm," that could use AIM to spread itself to users in a victim's "buddy list," according to the security research group that discovered the bug, w00w00 Security Development.
"The implications of this vulnerability are huge and leave the door wide open for a worm not unlike those that Microsoft Outlook, IIS, et. al., have all had," wrote the researchers in an advisory published today on the Web and on several security mailing lists.
The security hole lies in an AIM feature that allows users to invite other AIM users in their buddy list to play online games such as Quake and Canasta, the security group said.
Source code to a program that exploits the vulnerability, which stems from AIM's handling of specially crafted game requests that overflow the program's memory buffers, was posted at w00w00's Web site.
A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."
News source: washingtonpost.com - NEWSBTYES