Attackers would need to dupe users into visiting a malicious Web site to exploit the vulnerability.
An ActiveX control shipped with AOL's Web access software can be used by attackers to hijack users' PCs, security companies said Thursday. AOL has released a fix, and urged users to log on to obtain it.
According to Reston, Va.-based iDefense Labs, America Online 9.0 Security Edition -- which is based on Microsoft's Internet Explorer 6.0 browser -- uses an ActiveX control dubbed "YGPPDownload" that can be exploited using two separate flaws in the control's code.
"This control is registered as safe for scripting in IE and contains a buffer overflow," read the iDefense alerts. "Exploitation of this vulnerability is trivial and allows for arbitrary execution of code as the currently logged in user."
Attackers would need to dupe users into visiting a malicious Web site to exploit the two vulnerabilities.
Danish vulnerability tracker Secunia collectively pegged the bugs with a "Highly critical" rating, its second-from-the-top rank.
AOL subscribers using 9.0 Security Edition or 9.0 should log on, said iDefense, to automatically obtain a fix for the flaws. Users relying on older versions of the AOL software should instead update to the newest edition of 9.0 Security.
Both of the vulnerabilities reported by iDefense were discovered by researchers rewarded by the company's Vulnerability Contributor Program, a bug bounty scheme that has been in operation since 2005.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.