Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Security group: ICQ is flawed

From: InfoSec News <isn () c4i org>
Date: Wed, 7 May 2003 04:15:22 -0500 (CDT)
Forwarded from: Ejovi Nuwere <ejovi () ejovi net>

http://zdnet.com.com/2100-1105_2-999870.html

By Robert Lemos
CNET News.com
May 6, 2003, 

Two serious flaws in America Online's ICQ software could allow an
online attacker to take control of a person's PC, a Boston security
firm warned in an advisory released Monday.

Core Security Technologies described the vulnerabilities in an
advisory released to several public security lists. While the company
found a total of six flaws, it said only two have serious implications
because they could allow an attacker to run code on the victim's
computer.

"However, the risk associated to each vulnerabilities is highly
dependent on the environment in which ICQ is being used," said Ivan
Arce, chief technology officer for Core. "Generally we don't make
assumptions about risk in our advisories because we don't think the
one-size-fits-all approach is valid."

The vulnerable ICQ Pro 2003a client is the latest version of America
Online's ICQ instant messaging software, which has been downloaded
from CNET Network's Download.com site more than 228 million times.
Last year, the company offered a slimmed down version called ICQ Lite.
That application doesn't have the flaws, according to the advisory.

No one from America Online's ICQ subsidiary was available Monday to
comment on the alleged flaws. The security researchers also noted that
they had problems reaching those responsible for security at ICQ.

"We also attempted to get specific security contact points from third
parties that might have reported ICQ bugs before but had no success
with this either, so after over a month of going back and forth with
the advisory we finally decided to publish it unilaterally," he said.

Three of the vulnerabilities, including one of the critical flaws,
occurred in the software's e-mail feature. A bug in the component
could allow an attacker to use the way the software handles e-mail to
cause it to execute code, if the attacker can impersonate the user's
e-mail server.

The other so-called critical vulnerability appeared in a feature of
ICQ that allows automated updating, the group said. Because that
component doesn't have adequate security, an attacker could pretend to
be sending a legitimate update when in reality the upgrade is hostile
code.

Israeli company Mirabilis, which created the software, was bought by
America Online in June 1998 and its name was changed to ICQ Inc. ICQ
is short for "I Seek You."


-- 
ejovi nuwere
http://www.ejovi.net
http://www.hackercracker.net



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: