search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AOL You've Got Pictures ActiveX control buffer overflow

Vulnerability Note VU#715730

Original Release Date: 2006-01-16 | Last Revised: 2006-01-31


The AOL You've Got Pictures service contains a buffer overflow that may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.


AOL You've Got Pictures provides digital photography storage and manipulation services for AOL users. There is a buffer overflow in an AOL YPG Picture Finder Tool ActiveX Control. This control is provided by YGPPicFinder.DLL. This vulnerability affects AOL 8.0, 8.0 Plus, and 9.0 Classic. In addition, the vulnerable control was distributed via the You've Got Pictures web site prior to 2004.


A remote attacker may be able to execute arbitrary code or cause a denial-of-service condition.



Upgrading to AOL 9.0 Optimized and AOL 9.0 Security Edition corrects this issue. In addition, AOL has released a hotfix to correct this issue.

Vendor Information


America Online, Inc. Affected

Notified:  January 05, 2006 Updated: January 09, 2006



Vendor Statement


America Online was recently made aware of a security vulnerability present in an ActiveX control that was distributed as part of our 8.0, 8.0+ and 9.0 Classic software. This control was also distributed via the "You've Got Pictures" web site prior to 2004. AOL 9.0 Optimized and AOL 9.0 Security Edition do not contain this control and are not affected. The control is no longer in use by any AOL systems, and is not needed in order to use AOL's "You've Got Pictures".

Affected Products and Applications

The following AOL software versions are affected by this issue:

* AOL 8.0+
* AOL 9.0 Classic

In addition, any Windows platform that has installed plug-ins from the "You've Got Pictures" website prior to 2004 is potentially affected.


1. America Online, Inc. recommends that all active AOL users of potentially affected software (listed above) sign on to the AOL service where a fix will automatically and transparently be applied to their systems.

2. Affected users who are not active AOL Members may download a hotfix from AOL that will address the issue. The hotfix can be downloaded from


America Online, Inc. would like to thank Richard Smith for his assistance to responsibly address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group Score Vector



This vulnerability was reported by AOL. AOL credits Richard M. Smith for providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 1.59
Date Public: 2006-01-16
Date First Published: 2006-01-16
Date Last Updated: 2006-01-31 15:05 UTC
Document Revision: 56

Sponsored by CISA.