A security vulnerability in the Windows version of AOL Time Warner's Instant Messenger (AIM) chat application affected millions of AIM users until the company secured AIM a week after the problem was first publicized. Unfortunately for AOL—and its customers—a fix wasn't available when news of the problem first appeared. A less-than-scrupulous teenager discovered the vulnerability—which could have let intruders gain control of users' computers—and gave the company little warning before publishing the details and a program that took advantage of the problem. Thus, AOL didn't find out about the problem until potential intruders had already been tipped off. The 19-year-old student who discovered the bug defended his actions by saying that he had emailed AOL but never received a response.
The AOL vulnerability was similar to many of Microsoft's software problems because it involved a buffer-overrun glitch. Buffer overruns can flood a software program with information, eventually overwhelming it and fooling it into executing any valid commands. In AOL's case, intruders could use the AIM program to take control of users' computers and delete files, an obviously dangerous situation.
This vulnerability—and others like it—are important because they represent the newest way for intruders to get worms and other Trojan horses into users' computers. Security analysts expect Instant Messaging (IM)based vulnerabilities to surpass email-delivered threats within the next 5 years.