In association with heise online

10 January 2008, 14:45

Another flaw found in AOL Radio

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

US-CERT has identified a flaw in components of AOL Radio. The ActiveX-Control (AmpX.dll) for Internet Explorer supplied by AOL uses the file AOLMediaPlaybackControl.exe, which contains the security hole. The AppendFileToPlayList() function of this control allows a buffer overflow that a malicious web site can exploit to run code. Even an HTML email can exploit the hole to compromise a system.

US-CERT doesn't say precisely which version contains the error, but states that AOL has already solved the problem and is issuing a fix via automatic update. Alternatively, users can prevent Internet Explorer loading the control by setting the 'kill bit' for it. To do this, save the following text in a file with the extension .reg and then execute it in Windows Explorer:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B49C4597-8721-4789-9250-315DFBD9F525}] "Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA3662C3-B8E8-11D6-A667-0010B556D978}] "Compatibility Flags"=dword:00000400

AOL has already closed a similar hole in the controller for its AOL Radio in November 2007.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit