Security Flaw Found in ICQ

Bug in older versions of instant messaging app is similar to vulnerability found in AIM.

Users of the instant messaging application ICQ are urged to upgrade to the latest version of the software because of a potentially damaging bug in older versions, according to a notice on the ICQ Web site.

A bug has been found in the ICQ Voice Video & Games feature for versions earlier than 2001b, according to the notice. ICQ 2001b was released on October 31 2001. Over 100 million people worldwide are registered as ICQ users, according to the ICQ Web site.

ICQ is owned by AOL Time Warner, which earlier this month had to patch a hole in its other instant messaging product, AOL Instant Messenger. The hole in ICQ is very similar, according to Daniel Tan, a University of Pennsylvania student who first reported the vulnerability in a posting to the Bugtraq mailing list.

Both ICQ and AIM are flawed in the way they handle a certain data packet, causing a buffer overflow and potentially allowing an attacker to run arbitrary code on a user's computer, Tan writes. Details on how to exploit the vulnerability were not published because Tan wanted to give AOL time to fix its software, according to his posting.

Users can check if their version of AIM is vulnerable by clicking on any user name in the ICQ contact list and looking for the Voice Video & Games options. ICQ is vulnerable if the options are available, according to the notice on the ICQ Web site.

Would you recommend this story? YES NO

Recommend:
0 Comments

Subscribe to the Security & Privacy Newsletter - weekly

See All Newsletters »

Name	City

Address 1	State	Zip

Address 2	E-mail (optional)