According to an alert posted by security company iDefense, AOL's browser uses a flawed method to render compressed images in the .art format. End result: The computer is hijacked.
AOL Thursday slipstreamed a security update to users of the Internet provider's browser to fix a bug that Microsoft patched back in June.
According to an alert posted by Reston, Va. security company iDefense Inc., AOL's browser uses a flawed method to render compressed images in the .art format. An attacker can exploit the bug by convincing users to view a maliciously-crafted .art image; the resulting heap overflow can be further leveraged, letting the attacker post his own code to the victimized PC. End result: The computer is hijacked.
"iDefense analysis has shown that exploitation can be as reliable as 75 percent with the current exploitation method," the warning read. In the 1-in-4 attempts that would likely fail, the PC would probably slow down or lock up entirely.
AOL's browser is a highly-customized version of Microsoft's Internet Explorer; the latter was patched to fix the .art flaw in June with the security bulletin MS06-022. AOL 9.0 and earlier are affected.
AOL subscribers using 9.0 only need to log on to the service -- a fix will be applied automatically -- but members working with an earlier edition of the ISP's client software should upgrade to 9.0 Security Edition.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.