America Online Inc. (AOL) users may want to upgrade to the latest version of the company’s software following the discovery of a critical flaw in the AOL suite of client software.
The bug, which was reported (http://www.frsirt.com/english/advisories/2006/0221) Monday on the FrSIRT (French Security Incident Response Team) Web site could be used by attackers to run unauthorized software on an unpatched computer.
The flaw concerns an ActiveX control in AOL’s YGP Picture Finder Tool, used by AOL’s You’ve Got Pictures photo-sharing service. It is found in several versions of AOL’s suite, including AOL 8.0, 8.0+ and 9.0 Classic.
Attackers could exploit this bug to seize control of an unpatched system by tricking users into visiting a specially crafted Web page, the FrSIRT alert says.
A stand-alone version of You’ve Got Pictures that is not bundled with the AOL client suite is not affected by the vulnerability, AOL said.
Though the bug was publicly disclosed on Monday, the security researcher who discovered it, Richard M. Smith, had reported the problem to AOL several months earlier, said AOL spokesman Andrew Weinstein.
“We had the issue brought to our attention around July, and we had a fix put into place and pushed that out to our of all members who logged on over a four-week period from October to November,” he said.
Members who did not log into AOL during this period last year have not received the patch, however, and are encouraged to download a more recent version of the client suite (http://downloads.channel.aol.com/) or apply a hotfix patch (http://download.newaol.com/security/YGPClean.exe).
“If someone is worried that they didn’t log on over the course of early October to early November, and they are on an earlier version than AOL 9.0 Optimized, then they should download the hotfix,” Weinstein said.
AOL is not aware of any software in circulation that can be used to exploit the code, Weinstein added. “Given that the affected population is so small, I would be surprised to see any exploits.”
