News

CERT publishes ICQ chat flaw advisory

A security hole in America Online's ICQ chat program could allow hackers to run the code of their choice on a computer using the program, according to the US's federally-funded computer security organisation Computer Emergency Response Team Coordination Center (CERT/CC).

AOL has fixed the flaw on its servers, but also recommends that users upgrade their ICQ program to the new version which does not have the vulnerability. This is because the server fix will not solve the problem entirely, CERT/CC said.

The security hole in ICQ affects all versions of AOL Mirabilis ICQ prior to, and including, version 2001A as well as the Voice Video & Games plug-in installed by versions prior to 2001B Beta v5.18 Build #3659, CERT said.

The flaw operates in much the same way as a security hole discovered in early January in AOL's other chat program, Instant Messenger. ICQ is vulnerable to a buffer overflow attack in which the memory allocated to the Voice Video & Games component is overwhelmed, allowing attackers to run any code they choose on the target system, CERT said. In all versions of ICQ prior to 2001B, the vulnerable code is a part of the program, though in 2001B and later versions, the vulnerable code has been moved into a plug-in, CERT said.

Thanks to AOL's fix, when ICQ's client versions 2001B and up connect to AOL's servers, the plug-in is disabled, preventing an attack, CERT said. However, because versions 2001A and earlier include the vulnerable code as part of the program and not as a plug-in that can be disabled, AOL recommends that ICQ users upgrade to the latest version of the program, 2001B Beta v5.18 Build #3659, in order to be protected, the advisory said.

Exploiting the flaw through other means, such as attacks in which the attacker sits between the ICQ user and the server and intercepts the user's traffic, may still be possible, CERT said.

AOL claims to have 122 million ICQ users worldwide.

To upgrade to the latest version of ICQ, users should go to http://www.icq.com/download

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy