CERT: AOL’s ICQ chat app has security flaw

A security hole in America Online Inc.’s ICQ chat program could allow attackers to run the code of their choice on a computer using the program, the U.S. federally-funded computer security organization Computer Emergency Response Team Coordination Center (CERT/CC) said in an advisory Thursday.

AOL has fixed the flaw on its servers, but also recommends that users upgrade their ICQ program to the new version, which does not have the vulnerability, because the server fix will not solve the problem entirely, CERT/CC said.

The security hole in ICQ affects all versions of AOL Mirabilis ICQ prior to, and including, version 2001A as well as the Voice Video & Games plug-in installed by versions prior to 2001B Beta v5.18 Build #3659, CERT said.

The flaw operates in much the same way as a security hole discovered in early January in AOL’s other chat program, Instant Messenger. ICQ is vulnerable to a buffer overflow attack in which the memory allocated to the Voice Video & Games component is overwhelmed, allowing attackers to run any code they choose on the target system, CERT said. In all versions of ICQ prior to 2001B, the vulnerable code is a part of the program, though in 2001B and later versions, the vulnerable code has been moved into a plug-in, CERT said.

Thanks to AOL’s fix, when ICQ’s client versions 2001B and up connect to AOL’s servers, the plug-in is disabled, preventing an attack, CERT said. However, because versions 2001A and earlier include the vulnerable code as part of the program and not as a plug-in that can be disabled, AOL recommends that ICQ users upgrade to the latest version of the program, 2001B Beta v5.18 Build #3659, in order to be protected, the advisory said.

Exploiting the flaw through other means, such as attacks in which the attacker sits between the ICQ user and the server and intercepts the user’s traffic, may still be possible, CERT said.

AOL claims 122 million ICQ users worldwide.

To upgrade to the latest version of ICQ, users should go to http://www.icq.com/download.

AOL Time Warner, in New York, can be reached at http://www.aoltimewarner.com. CERT/CC, in Pittsburgh, can be contacted at http://www.cert.org/

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now