AOL has fixed the flaw on its servers, but also recommends that users upgrade their ICQ program to the new version which does not have the vulnerability. This is because the server fix will not solve the problem entirely, CERT/CC said.
The security hole in ICQ affects all versions of AOL Mirabilis ICQ prior to, and including, version 2001A as well as the Voice Video & Games plug-in installed by versions prior to 2001B Beta v5.18 Build #3659, CERT said.
The flaw operates in much the same way as a security hole discovered in early January in AOL's other chat program, Instant Messenger. ICQ is vulnerable to a buffer overflow attack in which the memory allocated to the Voice Video & Games component is overwhelmed, allowing attackers to run any code they choose on the target system, CERT said. In all versions of ICQ prior to 2001B, the vulnerable code is a part of the program, though in 2001B and later versions, the vulnerable code has been moved into a plug-in, CERT said.
Thanks to AOL's fix, when ICQ's client versions 2001B and up connect to AOL's servers, the plug-in is disabled, preventing an attack, CERT said. However, because versions 2001A and earlier include the vulnerable code as part of the program and not as a plug-in that can be disabled, AOL recommends that ICQ users upgrade to the latest version of the program, 2001B Beta v5.18 Build #3659, in order to be protected, the advisory said.
Exploiting the flaw through other means, such as attacks in which the attacker sits between the ICQ user and the server and intercepts the user's traffic, may still be possible, CERT said.
AOL claims to have 122 million ICQ users worldwide.
To upgrade to the latest version of ICQ, users should go to http://www.icq.com/download