http://blog.wired.com/27bstroke6/2007/09/aol-instant-mes.html
AOL's Instant Messaging software, both old and the new beta, contains a security hole that lets anyone who sends you a message to run arbitrary commands and exploit Internet Explorer without the user having to do anything, according to Ryan Naraine at Zero Day. The hole, first reported to AOL more than a month ago, will not be fixed until the middle of October for the millions of people using AOL's AIM client.
AOL claims that the vulnerability, which allows a remote attacker to launch executable code without any user action, has been patched in the latest beta client but, as I?ve confirmed in a test with security researcher Aviv Raff (see screenshot below), fully patched versions of the beta is still wide open to a nasty worm attack.Anyone running the software should uninstall it and use an alternative, such as a web-based client such as Meebo or a third-party IM client such as Trillian or Pidgin to use an AIM account.
Production copies of the software, which sits on tens of millions of desktops around the world, are also unpatched.