In association with heise online

« previous | next »
8 September 2006, 12:33

AOL's ICQ software a potential portal for attacks

Core Security has warned of multiple holes in AOL's ICQ software. Both the Pro 2003b ICQ client and the ICQ toolbar for Internet Explorer contain vulnerabilities that could be exploited over the Internet.

A programming error in ICQ Pro 2003b could allow special messages to trigger a buffer overflow on the heap that can then be exploited. The flaw was discovered with the aid of a special fuzzing tool. According to the security advisory, ICQ 5.1 and ICQ2Go! are not affected; Core Security recommends an upgrade to ICQ 5.1.

The ICQ toolbar for Internet Explorer also insufficiently inspects incoming data. Script code embedded in RSS feeds could therefore manage to be executed – and this within IE's local zone. That means almost unrestricted rights to download and launch programs, among other things. Various settings in the toolbar can also be manipulated. Version 1.3 is vulnerable, with no fixed version available as yet. Core Security reports that AOL recommends switching to version 1.2, which doesn't support RSS. Version 1.2 comes delivered with ICQ 5.1.

See also:

(ehe)

« previous | next »
Print Version | Send by email | Permalink: http://h-online.com/-731470

Also on The H:

  • Share this article
  • Twitter
  • Facebook
  • digg this
  • submit to slashdot
  • post to delicious
  • StumbleUpon
  • submit to reddit
The H Open Headlines

Price Insight Top 10 powered by Skinflint

  1. Samsung SSD 830 Series 128GB
  2. Samsung SSD 830 Series 256GB
  3. Samsung SSD 830 Series Desktop Upgrade Kit 256GB
  4. Intel Core i5-3570K
  5. Samsung Galaxy S3 i9300 16GB blau
  6. Crucial m4 SSD 128GB
  7. Gigabyte GeForce GTX 670 OC
  8. Palit GeForce GTX 670
  9. Diablo 3 (deutsch)
  10. Samsung Galaxy Nexus i9250 16GB silber

The H

The H open source

The H Security

The H Internet Toolkit