Frank Washkuch Jr.
Nov 7 2006 18:50
TippingPoint researchers warned AOL ICQ users this
week about a vulnerability that allows attackers to execute malicious code onto
a vulnerable PC without user interaction.
AOL fixed the instant messaging (IM) service flaw on Oct. 31, but users who
haven't logged on to the ICQ network since then could still be at risk, TippingPoint
warned this week.
The update was immediately applied to ICQ version 5.1 users when they logged
on to the network, according to a TippingPoint advisory.
Researchers from TippingPoint's Zero Day Initiative reported the flaw to AOL
on Sept. 20, but held back information from the public because the vulnerability
could easily led to the spread of a worm, TippingPoint researchers said.
The flaw exists in the DownloadAgent function of the IM service's ICQPhone.SipxPhoneManager
ActiveX control. Hackers can use a malicious ICQ avatar to exploit the flaw,
according to TippingPoint's advisory.
Terri Forslof, manager of security response for TippingPoint, told SCMagazine.com
today that ICQ users who have not logged in to the service this month must still
be vigilant against attacks.
"What I think is particularly interesting about (the flaw) is that customers
who have not logged in are not protected, and they can still be attacked by
a website," she said. "Most people think that if they're not using
the service, they're not at risk. In this case, that's not true."
Dave Endler, director of security research for TippingPoint, said attackers
can use both websites and malicious IM messages to exploit the flaw.
"This issue is unique in that it can be exploited through a web browser
as well as the ICQ network itself. ICQ users who have not logged into the ICQ
network since Oct. 31 can still be affected through a malicious website because
it does not require user interaction," he said. "The same six degrees
of freedom that connects everyone on the ICQ network can be leveraged by a worm
to spread autonomously and quickly."
Core Security warned of multiple
vulnerabilities in ICQ in early September. AOL then urged users to upgrade
to version 5.1 to fix the flaws.
An AOL representative could not immediately be reached for comment.