TippingPoint researchers warned AOL ICQ users this week about a vulnerability that allows attackers to execute malicious code onto a vulnerable PC without user interaction.
The update was immediately applied to ICQ version 5.1 users when they logged on to the network, according to a TippingPoint advisory.
Researchers from TippingPoint's Zero Day Initiative reported the flaw to AOL on Sept. 20, but held back information from the public because the vulnerability could easily led to the spread of a worm, TippingPoint researchers said.
The flaw exists in the DownloadAgent function of the IM service's ICQPhone.SipxPhoneManager ActiveX control. Hackers can use a malicious ICQ avatar to exploit the flaw, according to TippingPoint's advisory.
Terri Forslof, manager of security response for TippingPoint, told SCMagazine.com today that ICQ users who have not logged in to the service this month must still be vigilant against attacks.
"What I think is particularly interesting about (the flaw) is that customers who have not logged in are not protected, and they can still be attacked by a website," she said. "Most people think that if they're not using the service, they're not at risk. In this case, that's not true."
Dave Endler, director of security research for TippingPoint, said attackers can use both websites and malicious IM messages to exploit the flaw.
"This issue is unique in that it can be exploited through a web browser as well as the ICQ network itself. ICQ users who have not logged into the ICQ network since Oct. 31 can still be affected through a malicious website because it does not require user interaction," he said. "The same six degrees of freedom that connects everyone on the ICQ network can be leveraged by a worm to spread autonomously and quickly."
Core Security warned of multiple vulnerabilities in ICQ in early September. AOL then urged users to upgrade to version 5.1 to fix the flaws.
An AOL representative could not immediately be reached for comment.
Click here to email Frank Washkuch Jr.