Reported January 24, 2001, by Win2KsecAdvice.

VERSIONS AFFECTED

  • AOL Instant Messenger

DESCRIPTION

A vulnerability in the current versions of AOL Instant Messenger has been discovered that lets a malicious user launch harmful Java or VBScript code. By exploiting the method in which Instant Messenger handles imbedded images, an attacker can embed Java or VBScript code to be executed when a user saves the chat conversation.

VENDOR RESPONSE

AOL was notified on January 18, 2001, and did not respond publicly.

CREDIT
Discovered by Don't Know Guilt.