ICQ flaws open PCs to attack

net1

A security company has released an advisory detailing six flaws in the ICQ communication software, two of which are serious vulnerabilities
Two serious flaws in America Online's ICQ software could allow an online attacker to take control of a person's PC, a Boston security firm warned in an advisory released on Monday.

Core Security Technologies described the vulnerabilities in an advisory released to several public security lists. While the company found a total of six flaws, it said only two have serious implications because they could allow an attacker to run code on the victim's computer.

"However, the risk associated to each vulnerabilities is highly dependent on the environment in which ICQ is being used," said Ivan Arce, chief technology officer for Core. "Generally we don't make assumptions about risk in our advisories because we don't think the one-size-fits-all approach is valid."

The vulnerable ICQ Pro 2003a client is the latest version of America Online's ICQ instant messaging software, which has been downloaded from CNET Network's Download.com site more than 228 million times. Last year, the company offered a slimmed-down version called ICQ Lite. That application doesn't have the flaws, according to the advisory.

No one from America Online's ICQ subsidiary was available on Monday to comment on the alleged flaws. The security researchers also noted that they had problems reaching those responsible for security at ICQ.

"We also attempted to get specific security contact points from third parties that might have reported ICQ bugs before but had no success with this either, so after over a month of going back and forth with the advisory we finally decided to publish it unilaterally," he said.

Three of the vulnerabilities, including one of the critical flaws, occurred in the software's email feature. A bug in the component could allow an attacker to use the way the software handles email to cause it to execute code, if the attacker can impersonate the user's email server.

The other so-called critical vulnerability appeared in a feature of ICQ that allows automated updating, the group said. Because that component doesn't have adequate security, an attacker could pretend to be sending a legitimate update when in reality the upgrade is hostile code.

Israeli company Mirabilis, which created the software, was bought by America Online in June 1998 and its name was changed to ICQ Inc. ICQ is short for "I Seek You."