America Online 9.0 Security Edition ships with an ActiveX control which is marked as safe for scripting and contains a buffer overflow vulnerability which allows for the arbitrary execution of code.
This control is registered as safe for scripting in IE and contains a buffer overflow in its SetAlbumName() method.
Exploitation of this vulnerability is trivial and allows for arbitrary execution of code as the currently logged in user. Users would need to be convinced to go to a malicious web site in order to be exploited.
Workaround:
Disabling Active Scripting or unregistering the vulnerable control can prevent exploitation. Additionally, setting the kill bit for the vulnerable control will disable it from running within Internet Explorer.
Vendor Status:
"All AOL software versions are affected by this issue.
Solutions:
1. Users of AOL 9.0 or AOL 9.0 Security Edition are recommended to log in to the AOL service and a fix will be seamlessly applied to their system.
2. Users using versions of AOL that are older than 9.0 are strongly recommended to upgrade to the latest version of AOL 9.0 Security Edition."
