More problems with dodgy AOL Active X controls
Vulnerabilities in AOL's "You Got Pictures" (YGP) screen saver may allow an attacker to gain control over systems on which AOL access software is installed. Security services provider iDefense reports that the bug involves a buffer overflow in the downloadFileDirectory and AddPictureNoAlbum functions in the YGPPDownload Active X control. Internet Explorer users may find themselves picking up malicious software through this vulnerability when surfing on manipulated websites on the internet. Just two weeks ago, security experts discovered comparable flaws in the YGP components.
iDefense recommends all AOL version 9.0 users to log on to the AOL service in order to start the automatic update mechanism. This fixes the flaw by installing a patched version. Users of older versions of the access software do not, however, enjoy the benefits of automatic updates. They are recommended to update to AOL version 9.0 as soon as possible.
- AOL YGPPDownload AddPictureNoAlbum ActiveX Control Heap Corruption Vulnerability, security advisory from iDefense
- AOL YGPPDownload downloadFileDirectory ActiveX Control Heap Corruption Vulnerability, security advisory from iDefense
- AOL Active X controls open up security vulnerabilities from heise Security