Core Security Technologies has discovered a critical vulnerability in AOL's Instant Messenger (AIM) program which, if exploited correctly, could grant an attacker full control over a victim's PC. Affecting AIM 6.1, 6.2 beta, AIM Pro, and AIM Lite versions, the security flaw can use the underpinnings of the Internet Explorer web browser to force users to dangerous web sites and silently execute malicious code.

The problem lies in the way AIM renders images, such as smiley faces and other emoticons, used within its instant message communications. The program uses part of Internet Explorer's engine to accomplish this. However, it appears that it enables access to other IE functions as well which gives an attacker the power to wreak havoc by simply embedding ill-willed commands within an Instant Message window.

Users of the popular messaging program are urged to switch to version 5.9, 6.5 (beta), or AIM Express until a suitable solution is provided. It is also recommended that you do not accept any messages from users that you do not recognize.