Big Security Holes Found in AOL's Instant Messenger

Dennis Faas's picture

Those still loyal to America Online are aware that the service has had a topsy-turvy history. The once dominant dial-up choice of Americans has struggled as of late with vulnerabilities to its Instant Messenger application, holes that security experts have collectively referred to as a "major vulnerability".

Last Wednesday, analysts at Core Security Technologies revealed that a bug could unleash a series of attacks on an AOL Instant Messenger user, with the most serious side effect being a remote hijack by a hacker. If said hacker were to worm his or her way into the system, Core Security believes he or she would be able to execute malicious code or take advantage of Internet Explorer bugs.

CTO of Core Security Ivan Arce had this to say in a written statement:

"This vulnerability poses a significant security risk to millions of AIM users...Core Security has alerted AOL to this threat and has provided full technical details about the vulnerability so that they can address it in their products. Since we notified AOL, this vulnerability has emerged on several public bug-tracking Web sites. Therefore, we believe it is necessary to bring precise details about this issue to light immediately, so that AIM users and organizations using AIM can be made aware of the threat, assess their risk, and take the appropriate measures to ensure that they are protected." (Source:

Updating the AOL Instant Messenger service, say from AIM V6.1 to V6.2, won't help. Core Security says both are just as likely to be infected by the threat. Even AIM Pro and AIM Lite, professional and client versions of the Instant Messenger service, respectively, are both affected.

Thankfully for the AOL faithful, a patch to these issues is on the way. Unfortunately, word of this progress -- passed on from a random AOL spokesperson to InformationWeek -- was vague and limited to "technicians are working on the problem." As recently as Friday, media outlets were reporting that AOL was still nowhere near a final solution to the issue. (Source:

Rate this article: 
No votes yet