Core Security has released the details of some very serious vulnerabilities in AOL’s instant messaging clients.
This remote exploitable bug, could allow a potential attacker to execute code on a remote box, inject html & Javascript in IE, and remote instantiation of Active X controls.
Its important to note, that this exploit does not rely on user interaction to work. The user does not have to open up an attachment or click on a specific item.
Im summary its a very serious vector.
AOL did some work to block the attacks server side, but they have already proven to be bypassable.