AOL's ICQ IM Service Vulnerable To Attack, Says Firm - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

AOL's ICQ IM Service Vulnerable To Attack, Says Firm

Some 160 million users of AOL's youth-oriented ICQ are susceptible to bugs and PC crashes until they upgrade.

A security research firm today reported two vulnerabilities in America Online's ICQ global instant messaging service that could allow malicious attacks on the computers of more than 160 million registered users.

Available in 19 languages, ICQ launched in July 1996 as a peer-to-peer instant messaging service and has grown to include video, VoIP, and SMS features designed for young people. AOL says 80% of its ICQ users are between the ages of 13 and 29 and that the average user is connected five hours per day.

Unless users upgrade to version 5.1 of ICQ, their computers are susceptible to a vulnerability in the ICQ Pro 2003b IM client that could lead to denial-of-service attacks and remote compromise of systems, according to an alert issued by Core Security Technologies, a provider of penetration testing tools. This heap overflow vulnerability is similar to a buffer overflow: An attacker can fill an input field with too many characters and crash a PC. In the case of ICQ, attackers can add malicious data packets as part of an IM conversation.

A second Core Security alert highlights problems found in the ICQ Toolbar v1.3 that may allow attackers to control and change the toolbar's configuration settings. Another problem Core Security found pertains to the toolbar's "RSS Feeds" feature, allowing attackers to inject scripting code into the title and description fields of RSS content delivered to a user's ICQ Web page. An attacker could embed malicious code in a blog, for example, that's sent to a user via an RSS feed. "This is a fairly new form of attack, but we are seeing more and more of these," says Max Caceres, Core Security's director of product management.

Instant messaging and other client-side software will increasingly become the target of attackers because companies have focused more on bolstering the security of their backend systems and networks. "Desktops are the newest path of least resistance," Caceres says. While it would be easier for its users if AOL issued a patch for the current version of ICQ, the company is instead recommending users upgrade to version 5.1, he adds.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Commentary
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll