AOL's ICQ software a potential portal for attacks
Core Security has warned of multiple holes in AOL's ICQ software. Both the Pro 2003b ICQ client and the ICQ toolbar for Internet Explorer contain vulnerabilities that could be exploited over the Internet.
A programming error in ICQ Pro 2003b could allow special messages to trigger a buffer overflow on the heap that can then be exploited. The flaw was discovered with the aid of a special fuzzing tool. According to the security advisory, ICQ 5.1 and ICQ2Go! are not affected; Core Security recommends an upgrade to ICQ 5.1.
The ICQ toolbar for Internet Explorer also insufficiently inspects incoming data. Script code embedded in RSS feeds could therefore manage to be executed – and this within IE's local zone. That means almost unrestricted rights to download and launch programs, among other things. Various settings in the toolbar can also be manipulated. Version 1.3 is vulnerable, with no fixed version available as yet. Core Security reports that AOL recommends switching to version 1.2, which doesn't support RSS. Version 1.2 comes delivered with ICQ 5.1.
- AOL ICQ Pro 2003b heap overflow vulnerability from Core Security
- Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer from Core Security