AOL Instant Messenger is vulnerable to worm attack due to the way it works with Internet Explorer 7, according to security researchers.

The critical flaw is in the way that the AIM displays web-based graphics, according to researchers at Core Security Technologies, which discovered the flaw.

Core has been working with AOL over the past few weeks to patch the problem. AOL's servers are now filtering instant messaging traffic to intercept any attacks, but the company has yet to patch the problem in its client software, the researchers said.

The flaw has to do with the way the AIM uses IE components to render HTML messages. By sending a malicious HTML message to an AIM user, an attacker could run unauthorised software on a victim's computer or force IE to visit a malicious web page, said Core chief technology officer Iván Arce.

This type of flaw could be exploited to create a self-replicating worm, according to both Core's Arce and Aviv Raff, a security researcher who says he'd discovered a related flaw in AIM. "The frightening thing about this vulnerability is that it can be easily exploited to create a massive IM worm, because it doesn't require any user interaction," Raff said.

No attacks based on these flaws have been reported.

Worms were front-page news in 2003 and 2004 when Blaster, Sobig, and Sasser gummed up PCs around the world. And while web-based worms have been in the news, a widespread instant messaging worm would be unprecedented.

Arce says that the safest thing is for AIM users to either upgrade to the 6.5 beta code or to downgrade to a 5.9 version of the software, which does not support HTML rendering.

But Raff offered different advice, saying that AIM 6.5 is still vulnerable to the flaw he discovered. According to him the best thing would be for AOL to "fix the underlying code," although AIM 5.9 is "probably not vulnerable to this specific vulnerability," he said.

AOL may not be planning to fix AIM any time soon, according to the company. "We have resolved all of the issues presented to us by Core Security within all past, current and future versions of AIM," AOL said without commenting on Raff's findings.

Users should still be concerned, however. Core's Arce said that he was worried that hackers could find ways around AOL's filters. What AOL has done is "just one portion of the solution and that's not the most effective portion," he said. "The most effective solution is to run a client that doesn't have the problem."