If at first you don't succeed; call it version 1.0
Monday, 21 August 2006

As I already reported, I've found a vulnerability in AOL Security Toolbar, which could allow an attacker to control the user's toolbar configuration options from remote.

Within 1 (one) day, AOL replied by email, confirmed the vulnerability and delivered a fixed version. Wow, very fast response!

I've verified that this fix actually plugs the hole. Good job Spencer!

So, I recommend to anyone who use the AOL Security Toolbar to update to the latest version.

To know which version you are using, go to Left Button Arrow -->  Help --> "About AOL Security Toolbar". The vulnerable version is: Version 1.11 (08-03-06).

If you are using this version, and have not received (or ignored) the message asking you to update your toolbar, you can manually update by going to Left Button Arrow --> "Update Toolbar...". You should be notified if you use the latest version of the AOL Security Toolbar.

But just to be sure, the version that is not vulnerable is: Version 1.13 (08-18-06).

I will update this post on Friday with a proof-of-concept exploit for this vulnerability.


Monday, 21 August 2006 20:39:05 UTC | Comments [1] | Security#
Tuesday, 16 October 2007 13:25:34 UTC
Yeah, really now, do you plan on starting a "malware of the week" review or what?
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.