Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Core Security: Multiple flaws in AOL messenger

Users of AOL's ICQ instant messenger (IM) were warned this week of multiple vulnerabilities in their IM software.

 By exploiting these flaws, hackers could severely impact more than 160 million users of the service, according to Boston-based Core Security.

Hackers could take direct control over an affected user's PC through flaws in AOL ICQ Pro 2003b heap overflow vulnerability and ICQ Toolbar 1.3 for Internet Explorer, according to a Core Security advisory released today.

AOL has recommended that users upgrade to version 5.1 of the product to fix the flaws.

Max Caceres, director of product management for Core Security, said today that the flaws are frightening because "millions of users could be exploited. Anyone running this version today could be exploited."

"It is a little bit scary. One reason is that it is very widespread software," he said. "It's also part of the trend of vulnerabilities being found in software used in workstations. Perimeter security doesn't protect you at all."

One flaw exists in the way that ICQ Pro 2003b client handles incoming message lengths, which could lead to DoS attacks and remote compromising of systems. Attacks taking advantage of the flaw would be difficult to spot, according to Core Security, because exploit traffic does not look different from ordinary IM conversations.

The firm also discovered numerous flaws in ICQ Toolbar 1.3, which enable malicious users to change its configuration settings without user knowledge.

An AOL representative could not immediately be reached for comment.

Cross-site scripting flaws in the toolbar's RSS feeds interface could allow malicious feeds to execute scripting code in the context of the feeds interface.

Click here to email reporter Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.