AOL Time Warner Affected

Notified:  January 02, 2002 Updated: January 03, 2002

Status

Affected

Vendor Statement

America Online Security Advisory Post date: January 3, 2002 Subject: Buffer Overflow Vulnerability in AOL Instant Messenger for Windows Problem: A potential vulnerability was found in AOL Instant Messenger (AIM) for Windows software which might have allowed the compromise of systems running certain versions of the AIM client. The exploit mechanism involves sending messages specifically designed to exercise a buffer overflow vulnerability in the AIM client, which results in a condition on the target system that could potentially allow an attacker to execute arbitrary code. The buffer overflow condition is only valid for message types which require traversal through the AOL server complex; peer to peer messaging functions are not vulnerable to this exploit. Mitigation: As of the morning of January 3, 2002, AOL has modified the AIM server side infrastructure to counter attacks of this type, protecting AIM users from this exploit. Additionally, the next release of the AIM client software will include changes which remove the buffer overflow condition. AIM is not vulnerable to this buffer overflow condition through any peer-to-peer messages, therefore the server side mitigations protect all clients from this exploit. Vulnerable Versions: Please note, due to the server side modifications, AIM users are *no longer* vulnerable to this exploit, regardless of client software version. AIM software containing the buffer overflow: AIM for Windows, version 1.0 - 3.0.1415 AIM for Windows, version 4.3.2229 and greater (4.8.2616 is the latest beta version) Unaffected software: All AIM clients for non-Windows platforms would not have been affected. Additionally, the AIM client integrated with the Netscape 6 browser would not have been vulnerable. AOL members using the internal AOL Buddy List in the AOL client would not have been affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.