A Boston security company claims to have found six security holes in the ICQ ('I-Seek-You') instant messaging client for AOL.

The flaws include three problems with the Pop3 client, and can allow intruders to cause a variety of problems, from being able to install malware to hanging the computer by monopolising the CPU.

All versions of Mirabilis ICQ Pro instant messaging client, including the Mirabilis ICQ Pro 2003a release, are believed to be affected. There is no available patch for the problems.

AOL bought the ICQ system manufacturer Mirabilis in 1998.

"It doesn't need much technical ability to exploit this," said Ejovi Nuwere, senior security engineer for Core Security Technologies.

"Although there's no sign of any automated tools for script kiddies, there's little doubt that a skilled coder could build an automated exploit engine within a couple of days at most."

Before going public, Core Security Technologies said it made repeated attempts to contact AOL and developers Mirabilis with details of the problems after discovering them in March, but has received no response.

AOL in the US declined to comment beyond issuing a brief statement, which said: "We take all security related inquires seriously and are currently looking into the report."

Full details of the flaws can be found here.