All versions prior to AOL Mirabilis 2001B are vulnerable to the exploit, according to a report published on Thursday by the US-based Internet security center CERT.
Users who have the most recent build of the Mirabilis client are safe because vulnerable builds of the newest client will be automatically instructed by the server to disable the vulnerable plug-in. But all versions prior to 2001B do not have an external plug-in to disable, and so are vulnerable even after connecting to the server.
ICQ, which stands for "I seek you", is a program for communicating with other users over the Internet. AOL Time Warner, the owner of ICQ, claims that the application is used by over 122 million people.
To date, there have been no reports of this security hole being exploited.
The ICQ client for Windows is vulnerable to a hacking technique called buffer overflow, and can be exploited during the processing of a Voice Video and Games feature request message, said CERT. This message is supposed to be a request from another ICQ user inviting the victim to participate interactively with a third-party application. In vulnerable clients, the malicious code can be is executed through a direct connection request.
CERT reports that AOL has modified the ICQ server infrastructure to filter out malicious messages that contain code to exploit this vulnerability. But the US organization said it may still be possible to exploit the hole through network sniffing, DNS spoofing or via third-party ICQ servers.
ICQ requests can be sent directly from one client to another. This means that a hacker wishing to establish a direct connection with a vulnerable client can query an ICQ server for the IP address and listening port of the victim. Early versions of AOL Mirabilis accept direct connections to an unknown host by default, and more recent versions can be configured to accept direct connections from anyone.
Since there is currently no patch available for the ICQ plug-in for versions of the client prior to 2001B, AOL is advising users to upgrade to version 2001 Beta v5.18 Build #3659, which will delete the vulnerable plug-in.