A new security vulnerability in America Online Inc.'s Instant Messenger (AIM) program could allow an attacker to run a program on a user's computer.
AOL has fixed the vulnerability on its servers, however, so users need take no action to be protected, said Andrew Weinstein, a spokesman for AOL.
The vulnerability came about as the result of a buffer overflow in the "add external application" component in AIM which allows users to share programs, said Weinstein.
AOL was notified of the bug about 10 days ago and fixed the flaw soon thereafter by making changes to its servers, Weinstein said. The company has had no reports of users being affected by the vulnerability, he said.
In early January the company was alerted to a similar vulnerability in AIM by the security group w00w00. That vulnerability, which is "reasonably similar" to Monday's issue, according to Weinstein, allowed a malicious user to send attack code via AIM's shared game feature [See "AOL confirms security hole in AIM," Jan. 2]. AOL also fixed that problem on its servers. [See "AOL fixes security hole in AIM," Jan .3]Despite the similarity in the two vulnerabilities, Weinstein downplayed the idea that there are more far-reaching issues in AIM.
"There is a very limited range of potential similar areas of vulnerability," he said.