The hole is in the ICQ Voice Video & Games feature for versions earlier than 2001b, according to the notice. ICQ 2001b was released on 31 October last year.
According to the ICQ Web site, over 100 million people worldwide are registered as ICQ users.
ICQ is owned by America Online Time Warner (AOL), which earlier this month had to patch a hole in its other instant messaging product, AOL Instant Messenger (AIM).
The hole in ICQ is very similar, according to Daniel Tan, a US student who first reported the vulnerability in a posting to the Bugtraq mailing list.
Both ICQ and AIM are flawed in the way they handle a certain data packet. The packed causes a buffer overflow, which could allow an attacker to run code on a user's computer.
Details on how to exploit the vulnerability were not published because Tan wanted to give AOL time to fix its software.