ICQ ActiveX control enables takeover of computer
A new security hole in the ActiveX control in ICQ is reported to allow attackers to smuggle programs onto the victim's computer by merely sending them a message. The code can then be executed with the victim's rights. The error is part of a function in the ICQPhone.SipxPhoneManager component that accepts addresses as parameters and then downloads and executes the indicated file.
According to the security advisory from the Zero Day Initiative, attackers can use what is known as an avatar – a picture of the user – as the attack vector. It is loaded by ICQ once a message is received from another user. The victim therefore does not need to take any action for the malicious code to be planted and executed.
The security advisory indicates that AOL has released updates. These are to be installed during the connection process with the ICQ service. Users of the original ICQ software are therefore advised immediately to bring their client up to date by setting the software, even briefly, into an online state.
- America Online ICQ ActiveX Control Code Execution Vulnerability, security advisory from the Zero Day Initiative
- Download of the current version from the ICQ homepage