AOL Instant Messenger is vulnerable to worm attack due to the way it works with Internet Explorer 7, according to security researchers.
The critical flaw is in the way that the IM service displays web-based graphics, according to researchers at Core Security Technologies, which discovered the flaw.
Core has been working with AOL over the past few weeks to patch the problem. AOL's servers are now filtering instant messaging traffic to intercept any attacks, but the company has yet to patch the problem in its client software, the researchers said.
The flaw has to do with the way the IM uses IE components to render HTML messages. By sending a malicious HTML message to a user, an attacker could run unauthorised software on a victim's computer or force the browser to visit a malicious web page, said Core chief technology officer Iván Arce.
This type of flaw could be exploited to create a self-replicating worm, according to both Core's Arce and Aviv Raff, a security researcher who says he'd discovered a related flaw in AOL IM. "The frightening thing about this vulnerability is that it can be easily exploited to create a massive IM worm, because it doesn't require any user interaction," Raff said.
No attacks based on the flaws have been reported.
Arce says that the safest thing is for AOL IM users to either upgrade to the 6.5 beta code or to downgrade to a 5.9 version of the software, which does not support HTML rendering.
But Raff offered different advice, saying that AOL IM 6.5 is still vulnerable to the flaw he discovered. According to him the best thing would be for AOL to "fix the underlying code," although AIM 5.9 is "probably not vulnerable to this specific vulnerability," he said.
AOL may not be planning to fix AIM any time soon, according to the company. "We have resolved all of the issues presented to us by Core Security within all past, current and future versions of AIM," AOL said without commenting on Raff's findings.
Users should still be concerned, however. Core's Arce said that he was worried that hackers could find ways around AOL's filters. What AOL has done is "just one portion of the solution and that's not the most effective portion," he said. "The most effective solution is to run a client that doesn't have the problem."