Six security vulnerabilities in America Online's (AOL's) free ICQ Pro instant messaging client give attackers a number of new ways to gain remote control over machines running the software, according to an advisory published Monday by Core Security Technologies.
The vulnerabilities affect all versions of the Mirabilis ICQ Pro instant messaging client up to and including the Mirabilis ICQ Pro 2003a release. ICQ Lite, another free version of the product, is not affected by the vulnerabilities, according to Ejovi Nuwere, lead security engineer at Core Security.
Core Security found problems in a variety of ICQ components, including features for receiving e-mail messages, displaying banner advertisements and GIF format images, and even in the code used to handle product feature upgrades, according to the company.
All of the vulnerabilities were tested on machines running versions of the Windows operating system, but ICQ Pro clients for other platforms are also believed to be vulnerable, Nuwere said.
The most serious of the vulnerabilities were found in a Post Office Protocol version 3 (POP3) mail client that is integrated with the ICQ Pro product. The client enables ICQ users to remotely retrieve e-mail messages from their mail server.
A format string vulnerability and a buffer overflow vulnerability in the client could enable a malicious hacker to remotely attack a machine running ICQ and execute malicious code on the system. Attackers could use improperly formatted e-mail messages to deliver the attack, according to Nuwere.
In testing, researchers were able to use the vulnerabilities to remotely capture and send out password and mail files from a machine running Microsoft Corp.'s Windows NT operating system, he said.
While not every ICQ vulnerability discovered by Core Security is that serious, all of those found could be remotely exploited and could, at the least, cause the ICQ client to crash, Nuwere said.
The vulnerabilities are sophisticated enough that an attacker would need to have experience writing exploits to take advantage of them. However, given that level of coding knowledge, creating an exploit would be a simple matter requiring maybe a day or two of effort, Nuwere said.
Despite the severity of the problems, Core Security received no response from AOL regarding the problems, which it first informed the company of in early March.
The company made repeated efforts to contact an AOL representative, sending information on their discovery to multiple support e-mail addresses at the company and polling online security discussion groups for contact names and numbers within AOL. After receiving no response after a second and third round of notifications in late March and early April, the company went public with their discovery Monday.
"Our standard policy is to contact any vendor whose products we find problems with and give them 30 days notice. As of today we haven't heard of anything (from AOL)," Nuwere said.
AOL acquired the ICQ product with their purchase of Israeli company Mirabilis in 1998. The product is still managed from Israel and a U.S. spokesman for AOL seemed unfamiliar with the reported problems when asked about them on Tuesday.
Sign up to receive InfoWorld Resource Alerts
2 Recommendations
