Home & Office

Unpatched security hole detected in ICQ

AOL has modified the ICQ server infrastructure to filter out code that exploits the vulnerability, but users are advised to upgrade to the latest client
Written by Wendy McAuliffe, Contributor

A security hole that may allow an attacker to run malicious code on a victim's PC has been detected in AOL's ICQ chat program.

All versions prior to AOL Mirabilis 2001B are vulnerable to the exploit, according to a report published on Thursday by the US-based Internet security centre CERT. Users who have the most recent build of the Mirabilis client are safe because vulnerable builds of the newest client will be automatically instructed by the server to disable the vulnerable plug-in. But all versions prior to 2001B do not have an external plug-in to disable, and so are vulnerable even after connecting to the server.

ICQ, which stands for "I seek you", is a program for communicating with other users over the Internet. AOL Time Warner, the owner of ICQ, claims that the application is used by over 122 million people. To date, there have been no reports of this security hole being exploited.

The ICQ client for Windows is vulnerable to a hacking technique called buffer overflow, and can be exploited during the processing of a Voice Video and Games feature request message, said CERT. This message is supposed to be a request from another ICQ user inviting the victim to participate interactively with a third-party application. In vulnerable clients, the malicious code can be is executed through a direct connection request.

CERT reports that AOL has modified the ICQ server infrastructure to filter out malicious messages that contain code to exploit this vulnerability. But the US organisation said it may still be possible to exploit the hole through network sniffing, DNS spoofing or via third-party ICQ servers.

ICQ requests can be sent directly from one client to another. This means that a hacker wishing to establish a direct connection with a vulnerable client can query an ICQ server for the IP address and listening port of the victim. Early versions of AOL Mirabilis accept direct connections to an unknown host by default, and more recent versions can be configured to accept direct connections from anyone.

Since there is currently no patch available for the ICQ plug-in for versions of the client prior to 2001B, AOL is advising users to upgrade to version 2001 Beta v5.18 Build #3659, which will delete the vulnerable plug-in.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards