A security hole in ISP America Online's instant messenger service, AIM, which may have let hackers gain access to thousands of subscribers' machines, has now been resolved.
Instant message hole patched
"Users should not be concerned. There was a hole, which we have now fixed in our server," said AOL spokesman Andrew Weinstein. "There is no need to download any patches."
The hole, discovered by US security firm w00w00, threatened to leave thousands of AOL's subscribers running the Windows version of AIM (all versions up to and including 4.7) open to attack.
"The implications of this vulnerability are huge and leave the door wide open for a worm," said w00w00, which notified AOL of the hole over the Christmas period.
The flaw lay in the applications that allow users to add people to their buddy lists and play online games.
The so-called 'buffer overflow' problem, was similar to that found in Windows XP's plug and play facility earlier this week, allowing hackers to take complete control of the victims' computer.
"There are two primary risks [from the hole]," said Matt Conover founder of w00w00. "One is that someone will specifically target you for attack. The second would be a worm that will attack you, read your buddy list, and then attack them. This would allow an attacker to gain entry to your machine and do anything."
AOL said it did not know at this stage how any subscribers had been affected, but assured users that the problem had been resolved.
The giant ISP hit out at w00w00, saying its publication of the hole left users open to a higher risk of attack.
But Conover said it released the information in case AOL didn't and users needed to know. He said AOL had not readily made available numbers for its instant messenger development team or security personnel.
"If we had received a response [to our email] then we would have allowed them the time they needed," he added.