Security firm warns of AIM vulnerability risk

Posted

Boston (MA) - Core Security Technologies says that a critical flaw in AOL's instant messenger application has still not been fixed, despite the online company's remarks to the contrary.

CST says the security hole could allow malicious users to remotely seize control of a fellow user's computer.  Even though AOL says this problem has been fixed, CST's chief technology officer Ivan Arce claims the vulnerability could still be manipulated.

"I would say this is critical, this is very serious," he said.  AOL spokesperson Eric Gifford, however, says users are "completely safe".  The flaw reportedly affects versions 6.1 and 6.2, which are new versions of the software that are still in beta mode.

The security firm says the flaw can be manifested through the use of enriched media messaging, including stuff like emoticons.  Some of these media files rely on Internet Explorer, without the necesary safeguards, contends the firm.

Core Security Technologies warned that the same kind of flaw could be found in other applications that have IE embedding, but said that Yahoo Messenger and MSN Messenger are not at risk.