7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.117 Low
EPSS
Percentile
95.2%
The AOL YGP Screensaver ActiveX control contains a buffer overflow vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The AOL YGP (You’ve Got Pictures) Screensaver ActiveX control is a component that comes with AOL software. This ActiveX control contains a buffer overflow vulnerability.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control, such as the AOL browser) to crash.
Apply an update
This issue is addressed by AOL 9.0 automatic updates. Log in to the AOL service to receive the appropriate update automatically. Users with AOL older than version 9.0 are recommended to upgrade to the latest version of AOL.
Disable the AOL YGP Screensaver ActiveX control
The AOL YGP Screensaver ActiveX control can be disabled by setting the kill bit for the following CLSID:
{A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6}
More information about how to set the kill bit is available in Microsoft Support Document 240797.
Disable ActiveX
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document and the Malicious Web Scripts FAQ.
154641
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 13, 2006 Updated: October 09, 2006
Affected
`Overview
AOL has recently been made aware of a security vulnerability present in
two ActiveX controls available with AOL client software. The two
vulnerable controls are:
Successful exploitation of either vulnerability may result in an
attacker being able to execute arbitrary code on a vulnerable system.
Affected Products and Applications
All AOL software versions are affected by this issue.
Solutions
Users of AOL 9.0 or AOL 9.0 Security Edition are recommended to log
in to the AOL service and a fix will be seamlessly applied to their system.
Users using versions of AOL that are older than 9.0 are strongly
recommended to upgrade to the latest version of AOL 9.0 Security Edition.
Acknowledgments
AOL would like to thank CERT/CC for their assistance in identifying and
responsibly reporting these issues.
`
The vendor has not provided us with any further information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by Will Dormann of CERT/CC.
This document was written by Will Dormann.
CVE IDs: | CVE-2006-3887 |
---|---|
Severity Metric: | 8.35 Date Public: |