Version(s): AOL Instant Messenger/Win32 4.7.2480; earlier versions

Description:  A denial of service vulnerability has been reported in AOL Instant Messenger (AIM). A remote user that can send instant messages to a target AIM user can cause the target user's AIM application to crash.

A remote user can send a message containing the text "<!-- " (without the quotes) approximately 640 or more times to cause the recipient's AIM to crash with the following error:

AIM caused in invalid page fault in module ATK32.DLL at 015f:12023f63.
Registers:
EAX=00000000 CS=015f EIP=12023f63 EFLGS=00010246
EBX=0063ea94 SS=0167 ESP=0063e9dc EBP=0063ea24
ECX=0043dab0 DS=0167 ESI=0043051c FS=0e87
EDX=00000000 KS=0167 KDI=0063ea8c GS=0000
Bytes at CS:EIP:
83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40
Stack dump:
00000000 0043051c 00000409 218f0004 8a120000
17df0b04 00010000 00000000 00000000 00000002
00000000 00000302 0000000c 00000001 0000000c
00000000

The default configuration of AIM apparently allows all instant messaging users to send a message.

This vulnerability reportedly affects all of AOL's versions of AIM for Win32 and all versions of Netscape's AIM, with the exception of the AIM program included with Netscape 6.1.

This vulnerability also reportedly affects gAIM, but only when the user is connected to gAIM via the Oscar protocol.

It is reported that the following implementations are not vulnerable:

aimirc (all versions)
AIM Express
QuickBuddy
AOL Instant Messenger/Linux 1.5.234
Mac clients
AOL's Java client
Clients that connect via the TOC protocol (e.g., TiK, miniTiK, tnt, jaim, jam). Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)

There is no solution at this time.
Reported By:  Matthew Sachs <matthewg@zevils.com>