Updated: America Online posts a hotfix to correct a buffer overflow vulnerability in its "You've Got Pictures" photo album service.

A critical security flaw in America Online Inc.'s "You've Got Pictures" service could put millions of users at risk of PC takeover attacks, according to a warning from the US-CERT (U.S. Computer Emergency Readiness Team).

In an advisory, US-CERT described the flaw as a buffer overflow in an AOL YPG Picture Finder Tool ActiveX control (YGPPicFinder.DLL) that may be exploited to execute arbitrary code or cause a denial-of-service condition.

The vulnerability affects AOL 8.0, AOL 8.0 Plus and AOL 9.0 Classic. In addition, the vulnerable control was distributed via the "You've Got Pictures" Web site prior to 2004.

A separate alert from FrSIRT (French Security Incident Response Team), rates the bug as "critical" and warned that the vulnerable ActiveX control does not properly handle overly long input strings.

"[This] could be exploited by remote attackers to compromise a vulnerable system by convincing a user to visit a specially crafted Web page."