In association with heise online

07 November 2006, 13:21

ICQ ActiveX control enables takeover of computer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A new security hole in the ActiveX control in ICQ is reported to allow attackers to smuggle programs onto the victim's computer by merely sending them a message. The code can then be executed with the victim's rights. The error is part of a function in the ICQPhone.SipxPhoneManager component that accepts addresses as parameters and then downloads and executes the indicated file.

According to the security advisory from the Zero Day Initiative, attackers can use what is known as an avatar – a picture of the user – as the attack vector. It is loaded by ICQ once a message is received from another user. The victim therefore does not need to take any action for the malicious code to be planted and executed.

The security advisory indicates that AOL has released updates. These are to be installed during the connection process with the ICQ service. Users of the original ICQ software are therefore advised immediately to bring their client up to date by setting the software, even briefly, into an online state.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit