AOL - Buddy takes over your computer
A bug in software from AOL presents a risk to PCs if the vulnerable software is installed, even for users who do not use AOL. According to security services provider TippingPoint, there is a critical vulnerability in AOL's SuperBuddy ActiveX control, which allows an attacker to gain complete control over a computer using a manipulated webpage if the user views the webpage in Internet Explorer. Using a vulnerability in the control, which is used to load animated and sound emitting icons, it is apparently possible to inject code onto a computer and execute this code. The bug was found in America Online 9.0 Security Edition. AOL released an update on 29th March, which fixes the vulnerability as soon as a user connects to AOL. The vendor was apparently informed of the problem as long ago as 18th July 2006.
TippingPoint notes that many PCs, including PCs from Dell and Hewlett Packard, are supplied with AOL software pre-installed. Since, however, many users use services other than AOL, the update will never be installed - the vulnerable control will remain on the user's PC. Affected users can manually delete the Sb.SuperBuddy.1 control or set the kill bit to stop the control from being loaded. Further information on doing so is given in the TippingPoint advisory.
- America Online SuperBuddy ActiveX Control Code Execution Vulnerability, security advisory from TippingPoint