AOL fixes fatal photo flaw

America Online Inc. (AOL) users may want to upgrade to the latest version of the company’s software following the discovery of a critical flaw in the AOL suite of client software.

The bug, which was reported (http://www.frsirt.com/english/advisories/2006/0221) Monday on the FrSIRT (French Security Incident Response Team) Web site could be used by attackers to run unauthorized software on an unpatched computer.

The flaw concerns an ActiveX control in AOL’s YGP Picture Finder Tool, used by AOL’s You’ve Got Pictures photo-sharing service. It is found in several versions of AOL’s suite, including AOL 8.0, 8.0+ and 9.0 Classic.

Attackers could exploit this bug to seize control of an unpatched system by tricking users into visiting a specially crafted Web page, the FrSIRT alert says.

A stand-alone version of You’ve Got Pictures that is not bundled with the AOL client suite is not affected by the vulnerability, AOL said.

Though the bug was publicly disclosed on Monday, the security researcher who discovered it, Richard M. Smith, had reported the problem to AOL several months earlier, said AOL spokesman Andrew Weinstein.

“We had the issue brought to our attention around July, and we had a fix put into place and pushed that out to our of all members who logged on over a four-week period from October to November,” he said.

Members who did not log into AOL during this period last year have not received the patch, however, and are encouraged to download a more recent version of the client suite (http://downloads.channel.aol.com/) or apply a hotfix patch (http://download.newaol.com/security/YGPClean.exe).

“If someone is worried that they didn’t log on over the course of early October to early November, and they are on an earlier version than AOL 9.0 Optimized, then they should download the hotfix,” Weinstein said.

AOL is not aware of any software in circulation that can be used to exploit the code, Weinstein added. “Given that the affected population is so small, I would be surprised to see any exploits.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now