The company has "identified the issue and developed a resolution that should be deployed in the next day or two," said AOL spokesman Andrew Weinstein.
The fix will take place on AOL's servers and will not require users to download patches, he said. Weinstein added that AOL is unaware of any users being affected by the security problem.
The hole, discovered by internet security group w00w00, takes advantage of a flaw in the shared game features of AIM. The feature allows users to invite members of their buddy list to participate in online games, but could allow an attacker to send malicious code to the victim's machine.
W00w00 also speculated that the bug could be used to create a worm similar to the Code Red and Nimda worms that hit Microsoft Internet Information Services' Web servers in July and October respectively. In this scenario, the worm could attack vulnerable systems and spread via the buddy list on the infected PC.
The vulnerability affects users of AIM versions 4.7 and 4.8, Weinstein said. W00w00 initially agreed but later added that AIM versions as far back as 4.3 are affected. However, Weinstein said that the only versions that support the shared game feature where the vulnerability resides are 4.7 and 4.8.
According to AOL, AIM has more than 100 million registered users. No figures were available as to how many users have the vulnerable versions of the software.
AOL Time Warner: www.aoltimewarner.com