Two AOL 9 ActiveX Problems

iDefense released two advisories on 10/25/06 related to two distinct flaws in an ActiveX control which is installed with AOL 9.0 Security Edition. The two functions in question are "downloadFileDirectory" and "AddPictureNoAlbum" in YGPPicDownload.dll, with
CLSID D670D0B3-05AB-4115-9F87-D983EF1AC747
(for all you AOL users out there who are rushing off to set your kill bits ;)). Apparently the browser is just built on top of IE, therefore one would expect that it can be exploited like other ActiveX vulnerabilities. Despite the additional features in AOL 9 SE vs plain jane IE, it obviously can't stop ActiveX exploits.

As for remediation, if I'm interpreting it correctly, all previous versions of AOL are vulnerable (but I don't see how that can be since they used Mozilla at some point in their past). But I'm just saying what AOL is saying: "All AOL software versions are affected by this issue." But AOL also says that AOL 9 users will be automatically updated to fix the vulnerability the next time they sign in. That's good. If AOL 9 was the only version vulnerable, this would then be a non-issue. But they say that for people using previous versions of AOL that they should update to 9. So it's still actually plausible that it can be exploited against older clients, because I'm sure there are plenty of AOL users out there who are still running whatever version came on the first CD, and who don't go looking around for security updates.

CVE-2006-5501 for the first one (downloadFileDirectory)
CVE-2006-5502 for the second one (AddPictureNoAlbum)

Does anyone else find it ironic that AOL is building on top of IE after having bought Netscape for 4.2 Billion back in the day, only to eventually cut Mozilla free? :)