Bevy of ICQ vulnerabilities surface

Six security vulnerabilities in AOL’s ICQ Pro instant messaging client give attackers a number of ways to gain remote control over machines running the software, according to an advisory published Monday by Core Security Technologies.

Six security vulnerabilities in AOL’s free ICQ Pro instant messaging client give attackers a number of new ways to gain remote control over machines running the software, according to an advisory published Monday by Core Security Technologies.

The vulnerabilities affect all versions of the Mirabilis ICQ Pro instant messaging client up to and including the Mirabilis ICQ Pro 2003a release. ICQ Lite, another free version of the product, is not affected by the vulnerabilities, according to Ejovi Nuwere, lead security engineer at Core Security.

Core Security found problems in a variety of ICQ components, including features for receiving e-mail messages, displaying banner advertisements and GIF format images, and even in the code used to handle product feature upgrades, according to the company.

All of the vulnerabilities were tested on machines running versions of the Windows operating system, but ICQ Pro clients for other platforms are also believed to be vulnerable, Nuwere said.

The most serious of the vulnerabilities were found in a POP3 mail client that is integrated with the ICQ Pro product. The client enables ICQ users to remotely retrieve e-mail messages from their mail server.

A format string vulnerability and a buffer overflow hole in the client could enable a malicious hacker to remotely attack a machine running ICQ and execute malicious code on the system. Attackers could use improperly formatted e-mail messages to deliver the attack, according to Nuwere.

In testing, researchers were able to use the vulnerabilities to remotely capture and send out password and mail files from a machine running Microsoft Windows NT, he said.

While not every ICQ vulnerability discovered by Core Security is that serious, all of those found could be remotely exploited and could, at the least, cause the ICQ client to crash, Nuwere said.

The vulnerabilities are sophisticated enough that an attacker would need to have experience writing exploits to take advantage of them. However, given that level of coding knowledge, creating an exploit would be a simple matter requiring maybe a day or two of effort, Nuwere said.

Despite the severity of the problems, Core Security received no response from AOL regarding the vulnerabilities, of which it first informed the ISP in early March.

Core Security made repeated efforts to contact an AOL representative, sending information about its discovery to multiple support e-mail addresses at AOL and polling online security discussion groups for contact names and numbers at the ISP. After receiving no response after a second and third round of notifications in late March and early April, Core Security went public with its discovery Monday.

“Our standard policy is to contact any vendor whose products we find problems with and give them 30 days notice. As of today we haven’t heard of anything (from AOL),” Nuwere said.

AOL acquired the ICQ product with its purchase of Israeli company Mirabilis in 1998. The product is still managed from Israel and a U.S. spokesman for AOL seemed unfamiliar with the reported problems when asked about them on Tuesday.

“All I can tell you is that we take all these reports very seriously and we’re looking into it,” said Derick Mains. “We need information from the folks in Israel,” he said.

While ICQ was one of the first widely used instant messaging (IM) clients, it has since been supplanted in popularity by other clients including AOL’s Instant Messenger and similar products from Microsoft and Yahoo. The client remains popular, however, and the company’s Web site boasts of more than 150 million registered users.

In the absence of a software patch users can best protect themselves by disabling the POP3 and “Features on Demand” services on their ICQ Pro client, Nuwere said. Where ICQ is used in corporate environments, mail server filtering products can also be configured to stop messages containing long subject lines and other characteristics that might contain an attempted buffer overflow attack, Nuwere said.

However, the more time that passes between the disclosure of the problems and a software fix from AOL, the more likely attackers are to exploit the ICQ vulnerabilities, Nuwere said.

“The problem with most vulnerabilities is user awareness. This could be fixed tomorrow but that doesn’t guarantee that users will download the fix tomorrow,” he said.