AOL Fixes Critical Instant Messenger Vulnerability

A security flaw in AOL Instant Messenger, also known as AIM, has been fixed. Sort of. Reported last month by Core Security Technologies and expert Aviv Raff, the vulnerability utilized the popular instant messaging program and the Internet Explorer web browser to take control of a PC.

AOL released a new version of AIM 6.5 (6.5.4.16) this week which corrects the flaw. While Raff states that this latest release does indeed fix the specific attack vector of the vulnerability, it does not utilize the Local Zone lockdown. What this means is a skillful attacker could still potentially find a way to inject a malicious script into an instant message window. Therefore he has postponed the release of his proof-of-concept, lest it fall into the wrong hands.

Nevertheless, Windows users running AIM are encouraged to upgrade their software immediately.