12:54 PM

AOL Patches Critical Browser Bug

Attackers would need to dupe users into visiting a malicious Web site to exploit the vulnerability.

An ActiveX control shipped with AOL's Web access software can be used by attackers to hijack users' PCs, security companies said Thursday. AOL has released a fix, and urged users to log on to obtain it.

According to Reston, Va.-based iDefense Labs, America Online 9.0 Security Edition -- which is based on Microsoft's Internet Explorer 6.0 browser -- uses an ActiveX control dubbed "YGPPDownload" that can be exploited using two separate flaws in the control's code.

"This control is registered as safe for scripting in IE and contains a buffer overflow," read the iDefense alerts. "Exploitation of this vulnerability is trivial and allows for arbitrary execution of code as the currently logged in user."

Attackers would need to dupe users into visiting a malicious Web site to exploit the two vulnerabilities.

Danish vulnerability tracker Secunia collectively pegged the bugs with a "Highly critical" rating, its second-from-the-top rank.

AOL subscribers using 9.0 Security Edition or 9.0 should log on, said iDefense, to automatically obtain a fix for the flaws. Users relying on older versions of the AOL software should instead update to the newest edition of 9.0 Security.

Both of the vulnerabilities reported by iDefense were discovered by researchers rewarded by the company's Vulnerability Contributor Program, a bug bounty scheme that has been in operation since 2005.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Listen Now InformationWeek Live for the Week of July 24, 2016
Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.