Skip to main content /TECH with /TECH

Security hole found in AOL Instant Messenger

AOL reportedly fixes flaw Thursday

AOL reportedly fixes flaw Thursday

RESTON, Virginia (CNN) -- AOL Time Warner's popular AOL Instant Messenger had a security flaw that could have enabled a hacker to invade a user's computer and wreak havoc on the system, the company and a security group said Wednesday.

AOL spokesman Andrew Weinstein said there have been no indications that hackers have exploited the flaw, which the company fixed Thursday, The Associated Press reported. (AOL Time Warner is the parent company of

"This is more of a theoretical issue because we don't believe this has actually occurred," Weinstein told CNN Wednesday.

Weinstein described the fix as a "server-side resolution" that AOL would repair itself, so users wouldn't have to do anything to fix the problem.

The problem had to do with a new feature that allows users to play online games with each other. The security flaw appeared only in its most recent Windows version of AIM, 4.7, Weinstein said.

The group that discovered the flaw says it dates back to at least the 4.3 version. The group, w00w00, is a nonprofit security organization that has members in nine countries, including Russia, the United States and Australia.

Non-Windows versions were not affected by the problem.

Before AOL had fixed the problem, w00w00 recommended that users restrict incoming messages to friends on their "Buddy List." A user can do this by going to "Your Preferences." In the "Privacy" section, click "Allow Only Users on My Buddy List" under "Who Can Contact Me," the security group said.

Not taking such an action would leave the program vulnerable to a worm or virus similar to "Melissa," "ILOVEYOU" and "Code Red," which have caused problems in computers worldwide.

"The implications of this vulnerability are huge and leave the door wide open for a worm," w00w00 said in a statement on its Web site. "This vulnerability will allow remote penetration of the victim's system without any indication as to who performed the attack. There is no opportunity to refuse the request."

AIM has more than 100 million users on its various versions.


Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top