A bug that could lead hackers into an unsuspecting user’s computer has been discovered in some versions of America Online’s ICQ instant-messaging (IM) system — the second time this month a vulnerability has been found in one of AOL’s IM programs.
The bug was located in the ICQ Voice Video & Games feature for versions earlier than the current one (2001b). According to SecurityFocus, “a buffer overflow exists in ICQs handling of specially formatted communications. A maliciously constructed packet … may overwrite data on the stack … This can easily cause the ICQ client to crash, and it may be possible to remotely execute arbitrary code.”
The bug was first reported last week on SecurityFocus’ BugTraq.
The fix is an easy one, AOL said. Users should upgrade to ICQ 2001b, “where this problem is fixed, for better security and best use of ICQ,” a note at the ICQ Web site said.
Users can download the latest version of ICQ directly from its Web site.
Among other features, the new version of ICQ allows users to send short-message services (SMS) text messages in three ways: from ICQ to a cellular phone and back, from the ICQ Web messaging center site to a cellular phone and back and from any e-mail client to a cellular phone. Although the cellular phones receiving these messages must be SMS-enabled, the recipients do not need to be ICQ members.
ICQ also supports two-way SMS text messaging on select GSM enabled carriers and non-GSM networks around the world and allows users to send messages to wireless pagers.
Earlier this month, AOL fixed a similar bug in its own AOL Instant Messenger (AIM) program. The company applied a server-side patch to a security flaw in the 4.7 and 4.8 versions of its AIM.
Information about the vulnerability first surfaced just after New Year’s Day with an advisory from the non-profit security research group w00w00 Security Development. At the time, the group said the flaw, which consisted of a buffer overflow in the code that parses a game request in AIM’s “Play Game with Buddy” feature, would allow remote penetration of a victim’s system without any indication as to who had performed the attack.
Such an attack could have downloaded itself off of the Web and then use AIM’s “buddy list” to attack the victim’s associates.
Of all the popular public IM networks and applications used at work, ICQ Chat is the least-used at 1.3 million users. AOL’s AIM stand-alone client is first at 6.1 million users, while MSN Messenger comes in second at 4.8 million users (Jupiter; November, 2001).
Bob Woods is the managing editor of InstantMessagingPlanet.com.