Secunia and Internet Security Systems have reported a vulnerability in AOL Instant Messenger (AIM), which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of "Away" messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long "Away" message (about 1024 bytes). A malicious website can exploit this via the "aim:" URI handler by passing an overly long argument to the "goaway?message" parameter.

Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited with certain browsers.

The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected.

NOTE: Various other issues were also reported, where a large amount of resources can be consumed on a user's system.

Solution:
The vendor has contacted Secunia and recommends that users install a beta version, which addresses the vulnerability, or remove support for the "aim:" URI handler by deleting the "HKEY_CLASSES_ROOT\aim" registry key.


Source : InSourced

Here are todays news about this issue...

AOL updates AIM to fix flaw

America Online yesterday [US] posted a beta of its popular instant messaging client that fixes a vulnerability made public just a day before, and will follow up this week with a patch for the current version, 5.5.

A pair of security firms warned AIM users of a flaw that could let hackers load their own code into compromised machines.

The beta of AIM 5.9 fixes the vulnerability, said AOL spokesperson Krista Thomas. But it's not the only way users will be able to plug the hole.

"We're not necessarily recommending that everyone download the beta," she said. "We'll be posting a fix for AIM 5.5 that (addresses) the security issue."

The update to AIM 5.5, which first launched in February, will be available on the AIM website.

AIM 5.9, which is expected to roll out in final form this fall, includes several new features and enhancements besides the vulnerability fix.

The instant messaging client now integrates with America Online's "You've Got Pictures" photo service, offers one click access to such AOL features as its Net radio stations, and includes a new toolbar that provides a pop-up blocker and web search field.

The beta version of AOL Instant Messenger (AIM), dubbed 5.9.3672, can be downloaded from the AIM website.



Source : TechWeb

(in reply to SiliconFreak)

Thanks Marshall for keeping us up-to-date with this issue...

I am delighted to see that users read our forums and also post updated news if they came across them before we do...

Thanks again!

(in reply to LinuxMarshall)