COMMAND

    Aol Instant Messenger

SYSTEMS AFFECTED

    Aol Instant Messenger

PROBLEM

    'cruz' found following.  As all Ascii-Symbols can be displayed  in
    &#XXX; format, where XXX are numbers from 0-255, AIM seems not  to
    check the XXX for higher values and some strings above 255  result
    in aim crashing completly or in part.  E.g. the string ̂ will
    result in crashing the whole  aim, but ̃ will crash  only the
    instant message  window (̃  was only  tested once).   It will
    crash  the  AIM  of  the  attacker  too,  because AIM displays the
    string in the attacker-Instant  Message, so the attacker-AIM  also
    tries to convert it and errors.

    Please note that the bug will also crash the AIM program launching
    the attack unless you use one of the not vulnerable versions or  a
    non-AOL client.  Versions reported as affected:

        Version     # of reports
        2.0N        (1)
        2.5.1366    (1)
        2.5.1598    (2)
        3.0.1470    (1)
        3.5.1635    (1)
        3.5.1670    (1)
        3.5.1808    (2)
        3.0N        (1)

SOLUTION

    There  is  already  an  unofficial  fix  available,  which  can be
    downloaded  at  hompage:  http://laugh.at/cruz.     The  fix is an
    edited ate32.dll,  which should  be copied  to the  aim directory.
    With  it,  aim  doesnt  try  to  convert  "&#XXX;"-type of strings
    anymore, a  minimum drawback  (note: with  that fix,  the attacker
    can use this exploit to  crash other unfixed AIMs, but  wont crash
    his/her own AIM).

    The bug does not seem to manifest itself in the chat room  window.
    However, if you insert a link that points to the character  entity
    in its  url it  will crash.   All entity  characters in  the range
    ̂-̋ seems to produce some type of error.  By all  accounts
    AIM 3.5.1856  released on  March 1  (the latest  beta) for Windows
    95/98/NT fixes this problem.