CVE-2010-10015
published 2025-08-21CVE-2010-10015: AOL versions up to and including 9.5 includes an ActiveX control (Phobos.dll) that exposes a method called Import() via the Phobos.Playlist COM object. This…
PriorityP347high8.4CVSS 4.0
AVLACLATNPRNUIAVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.49%
38.2th percentile
AOL versions up to and including 9.5 includes an ActiveX control (Phobos.dll) that exposes a method called Import() via the Phobos.Playlist COM object. This method is vulnerable to a stack-based buffer overflow when provided with an excessively long string argument. Exploitation allows remote attackers to execute arbitrary code in the context of the user, but only when the malicious HTML file is opened locally, due to the control not being marked safe for scripting or initialization. AOL remains an active and supported brand offering services like AOL Mail and AOL Desktop Gold, but the legacy AOL 9.5 desktop software—specifically the version containing the vulnerable Phobos.dll ActiveX control—is long discontinued and no longer maintained.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aol | aol | <= 9.5 (Revision 4337.155) | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for instantiation of the Phobos.Playlist COM/ActiveX object (Phobos.dll) in browser or HTML file contexts, particularly when the Import() method is called with an unusually long string argument indicative of a stack-based buffer overflow attempt. ↗
- →Flag local HTML file execution that instantiates the Phobos.Playlist ActiveX control; exploitation requires the malicious HTML to be opened locally due to the control not being marked safe for scripting or initialization. ↗
- →Detect file-format exploit delivery via Metasploit module targeting AOL 9.5 Phobos.dll; look for generated malicious HTML/file artifacts associated with the aol_phobos_bof module. ↗
- ·The ActiveX control is NOT marked safe for scripting or initialization, meaning exploitation is limited to locally opened malicious HTML files and cannot be triggered via a remote/web-based drive-by attack. ↗
- ·The vulnerable AOL 9.5 desktop software containing Phobos.dll is long discontinued and no longer maintained, significantly limiting the active attack surface. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/11190https://appdb.winehq.org/objectManager.php?sClass=version&iId=20354https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/aol_phobos_bof.rbhttps://web.archive.org/web/20100804162117/http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26569https://www.exploit-db.com/exploits/11204https://www.fortiguard.com/encyclopedia/ips/32026/aol-phobos-dll-activex-control-import-buffer-overflowhttps://www.vulncheck.com/advisories/aol-phobos-playlist-import-stack-based-buffer-overflowhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/aol_phobos_bof.rbhttps://www.exploit-db.com/exploits/11190https://www.exploit-db.com/exploits/11204
2025-08-21
Published