AOL Buffer Overflow in You've Got Pictures ActiveX Control Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015494
|
|
SecurityTracker URL: http://securitytracker.com/id?1015494
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 17 2006
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 8.0, 8.0+ and 9.0 Classic
|
Description: A vulnerability was reported in AOL in the "You've Got Pictures" service. A remote user may be able to execute arbitrary code on the target system.
The AOL YPG Picture Finder Tool ActiveX control (in YGPPicFinder.DLL) contains a buffer overflow. A remote user can create HTML
that, when loaded by the target user, will load the affected ActiveX control and potentially execute arbitrary code on the target
system.
The control was distributed as part of 8.0, 8.0+, and 9.0 Classic and via the "You've Got Pictures" web site prior to
2004.
The US-CERT advisory is available at:
http://www.kb.cert.org/vuls/id/715730
|
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target system.
|
Solution: The vendor has issued a fix as part of AOL 9.0 Optimized and AOL 9.0 Security Edition. Also, a hotfix is available at:
http://download.newaol.com/security/YGPClean.exe
The control is no longer used by any AOL systems or functions.
|
Vendor URL: www.aol.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 17 Jan 2006 01:12:15 -0500
Subject: AOL You've Got Pictures ActiveX control buffer overflow
|
http://www.kb.cert.org/vuls/id/715730
|
|
