AOL Security Edition 9.0 vulnerable to attack

Attackers could exploit a flaw in AOL Security Edition 9.0 to run malicious code on targeted machines. A fix is available.

Attackers could exploit a flaw in AOL Security Edition 9.0 to run malicious code on targeted machines, but the vendor has made a fix available.

The program builds upon Internet Explorer technology to offer users enhanced security and usability features. A flaw in the product was discovered by Reston, Va.-based iDefense Labs, a division of VeriSign Inc.

"America Online 9.0 Security Edition ships with an ActiveX control which is marked as safe for scripting and contains a buffer overflow vulnerability," iDefense said in an advisory. "Exploitation of this vulnerability is trivial and allows for arbitrary execution of code as the currently logged-in user."

Users would need to be convinced to go to a malicious Web site in order to be exploited, however.

The flaw was confirmed in AOL Security Edition 9.0 with downloader plug-in version 9.2.3.0. Users of AOL 9.0 or AOL 9.0 Security Edition are advised to log in to the AOL service and a fix will be seamlessly applied to their system, iDefense said.

Danish vulnerability clearinghouse Secunia rated the flaw "highly critical" in its advisory because attackers could exploit it remotely. Secunia said there are two specific vulnerabilities:

  • A boundary error in the YGPPDownload ActiveX control (YGPPicDownload.dll) that surfaces when processing input passed to the "AddPictureNoAlbum()" method, which can be exploited to cause a heap-based buffer overflow.
  • A boundary error in the YGPPDownload ActiveX control (YGPPicDownload.dll) when processing input passed to the "downloadFileDirectory" property, which can also be exploited to cause a heap-based buffer overflow.

"Successful exploitation of the vulnerabilities allows execution of arbitrary code," Secunia said.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close