Nasty bug found in 'classic' ICQ client

Security researchers have found a nasty vulnerability in AOL's ICQ Pro 2003b software.

AOL is advising users of its ICQ instant message service to update to the latest version of the instant messaging software following the discovery of a bug in an older version of the product.

Security researchers at Core Security Technologies on Thursday reported that they had discovered the flaw in ICQ Pro 2003b, a version of the ICQ client that AOL still offers for download, billing it as a "veteran version" of the product for users who prefer the earlier look-and-feel.

Although the bug doesn't affect more recent ICQ software like ICQ 5.1, it could mean serious problems for ICQ Pro 2003b users, according to Max Caceres, director of product management at Core, a vendor of penetration testing software.

Core researchers have developed proof-of-concept code that causes ICQ Pro 2003b to crash and they believe that this vulnerability could eventually be exploited to run unauthorized software on a user's PC. More information on this flaw can be found here.

Hackers would attack a PC by sending a maliciously encoded instant message to any ICQ Pro 2003b user connected to the service. Victims "don't have to do anything at all," Caceres said. "Just by being there, someone can send them a message and they can be compromised."

Core has also discovered less-critical issues in AOL's ICQ Toolbar 1.3 for Internet Explorer. These flaws could allow attackers to change the toolbar's configuration settings or possibly even run scripting code by sending victims maliciously encoded RSS (Really Simple Syndication) feeds. More information on these bugs can be found here.

AOL said it was working to fix the bugs, but the company classifies them as "minor and low-risk," according to spokesman Andrew Weinstein. "Any users who are concerned can simply upgrade to the latest version of ICQ or not load suspicious RSS feeds," he said via instant message.

More about: AOL, ICQ, VIA

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/170/gadwin-geforms/

Gadwin GeForms

GeForms allows you to create your own forms or fill in existing forms electronically. Using GeForms you are provided with sophisticated form design tools which ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia