AOL Time Warner Information for VU#907819
AOL Instant Messenger client for Windows contains a buffer overflow while parsing TLV 0x2711 packets
- Vendor Information Help Date Notified: 02 Jan 2002
- Statement Date:
- Date Updated: 03 Jan 2002
America Online Security Advisory
Post date: January 3, 2002
Subject: Buffer Overflow Vulnerability in AOL Instant Messenger for Windows
- A potential vulnerability was found in AOL Instant Messenger (AIM) for Windows software which might have allowed the compromise of systems running certain versions of the AIM client. The exploit mechanism involves sending messages specifically designed to exercise a buffer overflow vulnerability in the AIM client, which results in a condition on the target system that could potentially allow an attacker to execute arbitrary code. The buffer overflow condition is only valid for message types which require traversal through the AOL server complex; peer to peer messaging functions are not vulnerable to this exploit.
- As of the morning of January 3, 2002, AOL has modified the AIM server side infrastructure to counter attacks of this type, protecting AIM users from this exploit. Additionally, the next release of the AIM client software will include changes which remove the buffer overflow condition.
AIM is not vulnerable to this buffer overflow condition through any peer-to-peer messages, therefore the server side mitigations protect all clients from this exploit.
- Please note, due to the server side modifications, AIM users are *no longer* vulnerable to this exploit, regardless of client software version.
- AIM for Windows, version 1.0 - 3.0.1415
AIM for Windows, version 4.3.2229 and greater (4.8.2616 is the latest beta version)
- All AIM clients for non-Windows platforms would not have been affected. Additionally, the AIM client integrated with the Netscape 6 browser would not have been vulnerable. AOL members using the internal AOL Buddy List in the AOL client would not have been affected.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.