America Online is working on a critical patch for the company"s highly popular AIM application. Researchers at Core Security Technologies Wednesday disclosed a bug that could enable a remote hacker to execute malicious code, exploit Internet Explorer bugs, and inject scripting code in the IE browser. The researchers noted that all of the vulnerable AIM clients include support for enhanced message types that enable AIM users to take advantage of HTML to customize text messages with different fonts and colors. "We have addressed the issues that Core Security has brought to us on the server side. We are comfortable with the server side fixes we have in place, but we are also working on a client fix," said an AOL spokeswoman.
According to Core Security, the vulnerability affects AIM V6.1, as well as the V6.2 beta, which is the latest version of AOL"s instant messaging application. It also affects AIM Pro, the instant messaging version for corporate users, and AIM Lite, a simplified version of the client application. "This vulnerability poses a significant security risk to millions of AIM users. Core Security has alerted AOL to this threat and has provided full technical details about the vulnerability so that they can address it in their products," said Ivan Arce, CTO at Core Security.