Researchers report that a critical vulnerability in AIM could be used to create a massive worm attack.

The flaw was discovered by researchers at Core Security Technologies, which has been working with AOL over the past few weeks to patch the problem. AOL’s servers are now filtering instant messaging traffic to intercept any attacks, but the company has yet to patch the underlying problem in its client software, security researchers said Tuesday.

The flaw has to do with the way the AOL Instant Messaging (AIM) software uses Internet Explorer’s software to render HTML (Hypertext Markup Language) messages. By sending a maliciously encoded HTML message to an AIM user, an attacker could run unauthorized software on a victim’s computer or force the IE browser to visit a maliciously encoded Web page, said Core Chief Technology Officer Ivan Arce.

According to reports, AOL isn’t taking the flaws in the AIM software too seriously and doesn’t plan on releasing a fix anytime soon. Instead, they’re relying on filtering malicious HTML through AOL’s servers and not the client software. This makes me a bit concerned about the safety of AIM as the flaws in the client software should be fixed themselves as they might not have filters in place to catch everything worm authors may think of.

[Researchers say AIM vulnerable to worm attack]

[tags]AOL, instant messenger, AIM, security[/tags]