Core Security Technologies has announced the discovery of a new vulnerability affecting AOL Instant Messenger, on systems where Internet Explorer 7 is also installed. Researchers warn that by exploiting the vulnerability to AOL's AIM, an attacker could remotely execute code on a user's computer and exploit Internet Explorer bugs without user interaction.
The flaw reportedly affects versions 6.1 and 6.2 beta, AIM Pro and AIM Lite. Core Security Technologies also said that the same kind of flaw could be found in other applications that have IE embedding, but Yahoo Messenger and MSN Messenger are not at risk.
Although AOL claims to have resolved all off the issues presented by Core Security within all past, current and future versions of AIM, CST's chief technology officer Ivan Arce says the vulnerability can still be manipulated. Core recommends that users download and install a non-vulnerable version of AIM such as AIM 5.9 or use AOL's web-based AIM Express service until AOL has fixed the problem.