AOL patches hole in Instant Messenger

America Online Inc. today said it patched a buffer overflow vulnerability in its AOL Instant Messenger (AIM) software.

Dulles, Va.-based AOL patched the vulnerability in AIM early this morning on its servers, said company spokesman Andrew Weinstein.

“To our knowledge, no users were affected,” he said, adding that users don’t need download anything.

The security hole was first publicized by Matt Conover, a founding member of the online security research group w00w00 Security Development. Conover said a feature of AIM Version 4.7 allows hackers to break into the victim’s system and execute code through a buffer overflow. The exploit can only be performed through the feature that allows online gamers to invite others to play with them, and it’s “fairly difficult to exploit,” according to Conover.

However, once successful, a malicious hacker has the ability to launch a worm like those that have penetrated Microsoft Outlook and Internet Information Server products, and it can be executed without the user’s knowledge.