AOL has moved quickly to patch a severe security flaw in its AOL Instant Messenger (AIM) client - which also ships with Netscape Communicator.

Security firm @stake said the flaw could have allowed hackers, through malicious HTML email or a malicious website, to run code on users' machines if they had installed AIM, regardless of whether they were running it or not.

The weakness, a HTTP buffer overflow vulnerability, was described by @stake as "real easy to exploit".

Many corporate networks are understood to be included in the estimated 64 million users of the client. @stake warned that the bug may bypass corporate firewalls, because it is client initiated and most firewalls don't guard against this type of attack.

AOL has posted a patched version of the IM client at http://www.aol.com/aim/home.html, but eyebrows are likely to be raised at the apparent lack of publicity for the fix. However, AOL said it has received no reports of the flaw being exploited.

@stake warned that people are vulnerable unless they upgrade. A description of what users should do if they cannot easily upgrade can be found on @stake's website.