According to an alert posted by security company iDefense, AOL's browser uses a flawed method to render compressed images in the .art format. End result: The computer is hijacked.

AOL Thursday slipstreamed a security update to users of the Internet provider's browser to fix a bug that Microsoft patched back in June.

According to an alert posted by Reston, Va. security company iDefense Inc., AOL's browser uses a flawed method to render compressed images in the .art format. An attacker can exploit the bug by convincing users to view a maliciously-crafted .art image; the resulting heap overflow can be further leveraged, letting the attacker post his own code to the victimized PC. End result: The computer is hijacked.

"iDefense analysis has shown that exploitation can be as reliable as 75 percent with the current exploitation method," the warning read. In the 1-in-4 attempts that would likely fail, the PC would probably slow down or lock up entirely.

AOL's browser is a highly-customized version of Microsoft's Internet Explorer; the latter was patched to fix the .art flaw in June with the security bulletin MS06-022. AOL 9.0 and earlier are affected.

AOL subscribers using 9.0 only need to log on to the service -- a fix will be applied automatically -- but members working with an earlier edition of the ISP's client software should upgrade to 9.0 Security Edition.

As of the end of June, AOL had 17.7 million U.S. members, a drop of 3.1 million from a year earlier. In August, the company announced it would make its paid service and e-mail available at no charge to broadband users in an attempt to bring in replace lost subscriber revenue with ad dollars.

By TechWeb