AOL offers ICQ bug bomb - Market Intelligence - Brief Article

ISP Business, Jan, 2002

A bug that could lead hackers into an unsuspecting user's computer has been discovered in some versions of AOL's ICQ instant messaging system. This is the second time this month that a vulnerability has been found in one of AOL's IM programs.

The bug was located in the ICQ Voice Video & Games feature for versions earlier than 2001b, which is the current one. According to SecurityFocus, "a buffer overflow exists in ICQs handling of specially formatted communications. A maliciously constructed packet... may overwrite data on the stack ... This can easily cause the ICQ client to crash, and it may be possible to remotely execute arbitrary code." SecurityFocus was the first to report the bug on its BugTraq. AOL said that the problem is easily fixed by upgrading to ICQ 2001b. Users can download the latest version of ICQ directly from its Web site.

Among other features, the new version of ICQ allows users to send short-message services (SMS) text messages in three ways: from ICQ to a cellular phone and back, from the ICQ Web messaging center site to a cellular phone and back, and from any e-mail client to a cellular phone. Although the cellular phones receiving these messages must be SMS-enabled, the recipients do not need to be ICQ members.

ICQ also supports two-way SMS text messaging on select GSM enabled carriers and non-GSM networks around the world and allows users to send messages to wireless pagers. Earlier this month, AOL fixed a similar bug in its own AOL Instant Messenger (AIM) program by applying a server-side patch to a security flaw in the 4.7 and 4.8 versions of its AIM.

Information about the vulnerability first surfaced just after New Year's Day with an advisory from w00w00 Security Development, a non-profit security research group. At the time, the group said the flaw, which consisted of a buffer overflow in the code that parses a game request in AIM's "Play Game with Buddy" feature, would allow remote penetration of a victims's system without any indication as to who had performed the attack. Such an attack could have downloaded itself off of the Web and then use AIM's "buddy list" to attack the victim's associates.

ICQ Chat is the least used of all the popular public IM networks and applications used at work, with 1.3 million users. AOL's AIM stand-alone client is first at 6.1 million users, while MSN Messenger comes in second at 4.8 million users.