AOL’s Instant Messenger vulnerable to hackers

A buffer-overflow vulnerability in the latest version of America Online Inc.’s popular Instant Messenger (AIM) chat software could let remote attackers break into a victim’s system and execute arbitrary code.

The vulnerability involves a feature of AIM Version 4.7 that lets users invite other AOL members to play online games with them, according to Matt Conover, a founding member of w00w00 Security Development, an online security research group that discovered the flaw.

The vulnerability results from an overflow in the code that parses a game request, according to Conover. A hacker could exploit it to take control of a victim’s system and do things such as downloading and executing a malicious file from the Internet.

In an e-mail to Computerworld US, Conover described the vulnerability as “fairly difficult to exploit.”

But its implications are huge “and leave the door wide open for a worm not unlike those that Microsoft Outlook, IIS, et al. have all had,” w00w00 cautioned in its advisory.

“Any Windows AIM user is vulnerable. They won’t even see the request. It’s not related to the chat features. No prior conversation or authorization is required to exploit this,” Conover said in his e-mail.

AOL has identified the issue and is developing a patch to address the flaw, said Andrew Weinstein, a company spokesman. The patch should become available in the next day or two, he said.