Printer Friendly
The Free Library
19,604,532 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Core Security Technologies Discovers Multiple Vulnerabilities in AOL's Popular ICQ Messaging Software.


BOSTON -- With Upwards of 160 Million Users Potentially Affected, Vulnerabilities Allow Attackers to Exploit Holes in Popular Online Chat Software and Take Over User Machines

Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today issued advisories disclosing multiple vulnerabilities that could severely impact the more than 160 million registered users of America Online's ICQ ("I Seek You") A conferencing program for the Internet from Mirabilis, Tel Aviv, Israel (www.icq.com). It provides interactive chat, e-mail and file transfer and can alert you when someone on your predefined list has also come online.  global instant-messaging service. Researchers from CoreLabs, the research arm of Core Security, discovered that, by exploiting these vulnerabilities, an attacker could execute code and take control of a user's computer. AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services.  recommends that ICQ users immediately upgrade to ICQ version 5.1 to protect themselves from exploitation. Specifically, the vulnerabilities affect:

--ICQ Pro 2003b Build #3916 and previous versions: The ICQ Pro2003b client works with AOL's Instant Messenger AOL's instant messaging service. See AIM and instant messaging.  (AIM) and AOL services. The latest version of ICQ Pro 2003b, Build #3916, was released in October 2005 and is still available for download from ICQ's Web site.

--ICQ Toolbar A row or column of on-screen buttons used to activate functions in the application. Many toolbars are customizable, letting you add and delete buttons as required. Toolbars may be fixed in position or may float, which means they can be dragged to a more convenient location in the  1.3 for Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. : This toolbar provides several features, including search, pop-up blocker, ICQmail notifier and RSS feeds. The toolbar is one of the various products offered by ICQ and it is currently available for download at ICQ.com.

"These vulnerabilities could present a significant security risk to millions of ICQ users and it is essential that users take the appropriate steps to ensure that they are properly protected. This is a good example of why client-side vulnerabilities in desktop software are a real and present danger that should be identified and addressed diligently," said Ivan Arce, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey.  at Core Security Technologies.

Vulnerability Specifics:

AOL ICQ Pro 2003b heap overflow A heap overflow is another type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data.  vulnerability--CoreLabs researchers uncovered a vulnerability in the way the ICQ Pro 2003b client handles incoming message lengths that could lead to denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period.  and remote compromise of systems running vulnerable versions of the client. Attacks that leverage this vulnerability would be difficult to identify and isolate as exploit traffic does not present any features that makes it easily distinguishable from normal IM communications.

In response, the AOL Product Vulnerabilities team provided the following statement: "AOL has recently been made aware of a vulnerability in the ICQ 2003b client build #3916. Successful exploitation of the vulnerability may allow an attacker to remotely execute commands. AOL and ICQ recommend that users upgrade to the latest version of the ICQ client: ICQ 5.1."

Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer--CoreLabs also discovered a problem in the way the ICQ Toolbar implements its Web configuration interface, which enables attackers controlling a malicious Web site to change the ICQ Toolbar's configuration settings without users of the ICQ Toolbar noticing. Additionally, cross-site scripting See XSS.  vulnerabilities in the toolbar's RSS Feeds interface could allow malicious RSS feeds to execute scripting code in the context of the Feeds interface, and allow attackers to access (and, in specific cases, change) configuration settings.

In response to the remote configuration vulnerability, AOL Product Vulnerabilities team recommends that users carefully inspect the source of any Web-based files they use to configure their ICQ Toolbar. To address the malicious RSS feed vulnerability, it recommends that users download ICQ Toolbar 1.2, which is packaged with ICQ 5.1 and does not have the RSS feed capability.

For more information on both vulnerabilities and the systems affected, please visit: http://www.coresecurity.com/common/showdoc.php?idx=583&idxseccion=10 and http://www.coresecurity.com/common/showdoc.php?idx=584&idxseccion=10

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual.  attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization for·mal·ize  
tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es
1. To give a definite form or shape to.

2.
a. To make formal.

b. , identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software Shared software is a different term used to describe free software and open source software, and possibly also software that is not formally covered by the definition of either, but that is in some other way shared rather than owned.  tools for public use at: http://www.coresecurity.com/corelabs/

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product A primary product of a company, which is typically why the company was founded and/or what made it well known. For example, MS-DOS, Windows and the Microsoft Office suite have been flagship products of Microsoft. CorelDRAW is a flagship product of Corel Corporation. , CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training. Based in Boston, MA and Buenos Aires Buenos Aires (bwā`nəs ī`rēz, âr`ēz, Span. bwā`nōs ī`rās), city and federal district (1991 pop. , Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
COPYRIGHT 2006 Business Wire
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Publication:Business Wire
Geographic Code:1USA
Date:Sep 7, 2006
Words:779
Previous Article:Cathy Kusaka Fraser to Lead Human Resources at Tenet.
Next Article:MorganFranklin Corp. Joins ''America Supports You'' and Helps Wounded Warrior Project, an ''America Supports You'' Member.
Topics:



Related Articles
America Online, Inc. to Acquire Netscape Communications Corporation in Stock Transaction Valued At $4.2 Billion.
America Online, Inc.'s ICQ and Winamp Rank No. 1 and 2 on C-NET List of Most Downloaded Products for 1999.
CNN.COM TO BE PREMIER BROADCAST NEW PROVIDER ON NETSCAPE NETCENTER & ON ICQ.
America Online Inc. and Research in Motion to Deliver AOL Instant Messaging via BlackBerry.
America Online Inc. And Research In Motion To Deliver AOL Instant Messaging Via BlackBerry.
Antepo, America Online form alliance.
AOL and IBM to Bring Instant Messaging Communities Together; Form Agreement to Provide Lotus Sametime 7.5 Users with Federated Access to the AOL, AIM...
ChatChecker Adds Free Parental Monitoring for MySpaceIM.
What e-mail hackers know that you don't.

Terms of use | Copyright © 2012 Farlex, Inc. | Feedback | For webmasters | Submit articles