AOL's Instant Messenger is vulnerable to remotely executable code and it won't be officially fixed until the company issues AIM 220.127.116.11 in a few weeks.
The company says that in the meantime, a beta version of AIM 18.104.22.168 is available on its beta.aol.com Web site, and it addresses the problem.
Core Security Technologies, which discovered the vulnerability, recommends that users go to other AIM versions that don't have the weakness. They include the beta version as well as AIM 5.9 and AIM Express. AOL's Web service.
If exploited, the vulnerability could allow a hacker to carry out a number of different attacks, says Core Security's CTO IvA¡n Arce.
For example, an attacker could run malicious Java script on a vulnerable machine, he says. Or an attacker could send an instant message that creates a popup on the screen of the vulnerable machine asking for private information such as passwords.
In a third scenario, an attacker could access cmd.exe on the vulnerable machine, allowing any range of attacks, Arce says. An instant message could also automatically bring a user's browser to a hostile URL that could download malware to the machine.
The vulnerability allows attackers to exploit the fact that AIM uses Microsoft's Instant Messenger browser to render HTML, but does so without properly cleansing it, Arce says.