In association with heise online

08 September 2006, 11:33

AOL's ICQ software a potential portal for attacks

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Core Security has warned of multiple holes in AOL's ICQ software. Both the Pro 2003b ICQ client and the ICQ toolbar for Internet Explorer contain vulnerabilities that could be exploited over the Internet.

A programming error in ICQ Pro 2003b could allow special messages to trigger a buffer overflow on the heap that can then be exploited. The flaw was discovered with the aid of a special fuzzing tool. According to the security advisory, ICQ 5.1 and ICQ2Go! are not affected; Core Security recommends an upgrade to ICQ 5.1.

The ICQ toolbar for Internet Explorer also insufficiently inspects incoming data. Script code embedded in RSS feeds could therefore manage to be executed – and this within IE's local zone. That means almost unrestricted rights to download and launch programs, among other things. Various settings in the toolbar can also be manipulated. Version 1.3 is vulnerable, with no fixed version available as yet. Core Security reports that AOL recommends switching to version 1.2, which doesn't support RSS. Version 1.2 comes delivered with ICQ 5.1.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit