Denial of Service in AOL Instant Messenger

Reported October 3, 2001, by Matthew Sachs

VERSIONS AFFECTED

  • America Online (AOL) Instant Messenger 4.7.2480 and 4.3.2229.

 

DESCRIPTION
A Denial of Service (DoS) condition exists in AOL Instant Messenger. An attacker who can send instant messages to a user signed on to the AOL Instant Messenger service can crash that user's AOL Instant Messenger. The default settings let anyone send instant messages to the user. When an attacker sends text message of "<!-- " repeatedly (approximately 640 or more times), the instant messenger client crashes. To minimize exposure to this vulnerability, users should restrict the ability to receive instant messages to only the people the users select.

 

VENDOR RESPONSE

The vendor, America Online, has been notified of this vulnerability.

 

CREDIT
Discovered by Matthew Sachs.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish