Article

AOL Security Edition 9.0 vulnerable to attack

Bill Brenner

Attackers could exploit a flaw in AOL Security Edition 9.0 to run malicious code on targeted machines, but the vendor has made a fix available.

The program builds upon Internet Explorer technology to offer users enhanced security and usability features. A flaw in the product was discovered by Reston, Va.-based iDefense Labs, a division of VeriSign Inc.

"America Online 9.0 Security Edition ships with an ActiveX control which is marked as safe for scripting and contains a buffer overflow vulnerability," iDefense said in an

    Requires Free Membership to View

advisory. "Exploitation of this vulnerability is trivial and allows for arbitrary execution of code as the currently logged-in user."

Users would need to be convinced to go to a malicious Web site in order to be exploited, however.

The flaw was confirmed in AOL Security Edition 9.0 with downloader plug-in version 9.2.3.0. Users of AOL 9.0 or AOL 9.0 Security Edition are advised to log in to the AOL service and a fix will be seamlessly applied to their system, iDefense said.

Danish vulnerability clearinghouse Secunia rated the flaw "highly critical" in its advisory because attackers could exploit it remotely. Secunia said there are two specific vulnerabilities:

  • A boundary error in the YGPPDownload ActiveX control (YGPPicDownload.dll) that surfaces when processing input passed to the "AddPictureNoAlbum()" method, which can be exploited to cause a heap-based buffer overflow.
  • A boundary error in the YGPPDownload ActiveX control (YGPPicDownload.dll) when processing input passed to the "downloadFileDirectory" property, which can also be exploited to cause a heap-based buffer overflow.

"Successful exploitation of the vulnerabilities allows execution of arbitrary code," Secunia said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: