X
Tech
Home Tech Security

ICQ security hole reported

A security hole that may allow an attacker to run malicious code on a victim's PC has been detected in AOL's ICQ chat program.
Written by Wendy McAuliffe, Contributor
A security hole that may allow an attacker to run malicious code on a victim's PC has been detected in AOL's ICQ chat program.

All versions prior to AOL Mirabilis 2001B are vulnerable to the exploit, according to a report published on Thursday by the US-based Internet security center CERT.

Users who have the most recent build of the Mirabilis client are safe because vulnerable builds of the newest client will be automatically instructed by the server to disable the vulnerable plug-in. But all versions prior to 2001B do not have an external plug-in to disable, and so are vulnerable even after connecting to the server.

ICQ, which stands for "I seek you", is a program for communicating with other users over the Internet. AOL Time Warner, the owner of ICQ, claims that the application is used by over 122 million people.

To date, there have been no reports of this security hole being exploited.

The ICQ client for Windows is vulnerable to a hacking technique called buffer overflow, and can be exploited during the processing of a Voice Video and Games feature request message, said CERT. This message is supposed to be a request from another ICQ user inviting the victim to participate interactively with a third-party application. In vulnerable clients, the malicious code can be is executed through a direct connection request.

CERT reports that AOL has modified the ICQ server infrastructure to filter out malicious messages that contain code to exploit this vulnerability. But the US organization said it may still be possible to exploit the hole through network sniffing, DNS spoofing or via third-party ICQ servers.

ICQ requests can be sent directly from one client to another. This means that a hacker wishing to establish a direct connection with a vulnerable client can query an ICQ server for the IP address and listening port of the victim. Early versions of AOL Mirabilis accept direct connections to an unknown host by default, and more recent versions can be configured to accept direct connections from anyone.

Since there is currently no patch available for the ICQ plug-in for versions of the client prior to 2001B, AOL is advising users to upgrade to version 2001 Beta v5.18 Build #3659, which will delete the vulnerable plug-in.

Editorial standards
Show Comments

Related

The Apple Watch Ultra 2 with an Atlantic Blue Nomad Rugged Band.

6 reasons to buy an Apple Watch, according to a wearables expert

Linus Torvalds and Dirk Hohndel, Open Source Summit North America 2024

Linus Torvalds takes on evil developers, hardware errors and 'hilarious' AI hype

Placeholder product image alt text

The best AI image generators to try right now