AOL Time Warner Information for VU#907819

Post date: January 3, 2002

Subject: Buffer Overflow Vulnerability in AOL Instant Messenger for Windows

Problem:

A potential vulnerability was found in AOL Instant Messenger (AIM) for Windows software which might have allowed the compromise of systems running certain versions of the AIM client. The exploit mechanism involves sending messages specifically designed to exercise a buffer overflow vulnerability in the AIM client, which results in a condition on the target system that could potentially allow an attacker to execute arbitrary code. The buffer overflow condition is only valid for message types which require traversal through the AOL server complex; peer to peer messaging functions are not vulnerable to this exploit.

As of the morning of January 3, 2002, AOL has modified the AIM server side infrastructure to counter attacks of this type, protecting AIM users from this exploit. Additionally, the next release of the AIM client software will include changes which remove the buffer overflow condition.

AIM is not vulnerable to this buffer overflow condition through any peer-to-peer messages, therefore the server side mitigations protect all clients from this exploit.

Please note, due to the server side modifications, AIM users are *no longer* vulnerable to this exploit, regardless of client software version.

AIM for Windows, version 1.0 - 3.0.1415
AIM for Windows, version 4.3.2229 and greater (4.8.2616 is the latest beta version)

All AIM clients for non-Windows platforms would not have been affected. Additionally, the AIM client integrated with the Netscape 6 browser would not have been vulnerable. AOL members using the internal AOL Buddy List in the AOL client would not have been affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.