A Security Vulnerability in AIM Causes a DoS (Exploit)
6 Oct. 2001
Summary
AIM, AOL Instant Messenger, contains a security vulnerability that allows attackers to cause the remote client to crash by sending it a large amount of a specific HTML Tag.
A security vulnerability in the way AIM handles incoming HTML code, allows remote attackers to crash it.
The target user's visibility settings must allow the exploiter to send him or her IMs. When a
message with the text "<!-- " (without the quotes) is repeated approximately 640 or more times, AIM crashes.
Workaround:
If possible, modify your privacy settings so that only users on your buddylist can contact you. However, this still makes it possible for people on your buddylist to use this bug against you. Until AOL releases a fix, the only other option is to switch to a non-vulnerable client.
Alternatively, one can simply live with the occasional crash and simply restart AOL Instant Messenger. Of course, malicious persons could set up scripts to automatically send a crash-inducing message to the user as soon as he or she signed on to the AOL Instant Messenger service.
