According to w00w00, the vulnerability arises from the way AIM handles a request to play a game. The attacker sends a malformed request to the target user, which causes a buffer overflow that enables the attacker to execute arbitrary code. W00w00 is warning that unless the vulnerability is fixed, it's quite possible all 100 million AIM users could be the target of a Code Red or Nimda-like worm that takes advantage of the application's weakness.
"An exploit could easily be amended to download itself off the Web, determine the buddies of the victim, and then attack them also. Given the general nature of social networks and how they are structured, we predict that it wouldn't take long for such an attack to propagate," w00w00 wrote in its advisory.
The group recommends that users go into their AIM preferences and in the Privacy section select the "Allow Only Users on My Buddy List" option under "Who can contact me."
Security firm Vigilinx Inc. is warning that the vulnerability could cause "heavy damage." The firm recommends that AIM users turn the software off until AOL provides a fix. Businesses are encouraged not to run AIM on their systems and to remove any previously installed versions.
AOL was not available for comment.