Ryan McGeehan of TheBillyGoatCurse.com has reported a vulnerability in AOL Instant Messenger (AIM), which potentially can be exploited by malicious people to compromise a user"s system.
The vulnerability is caused due to a boundary error within the handling of "Away" messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long "Away" message (about 1024 bytes). A malicious website can exploit this via the "aim:" URI handler by passing an overly long argument to the "goaway?message" parameter.
Successful exploitation may allow execution of arbitrary code on a user"s system when e.g. a malicious website is visited with certain browsers.
The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected.
Various other issues were also reported, where a large amount of resources can be consumed on a user"s system.
AOL was contacted but has not responded.