NEWS Two serious flaws in America Online's ICQ software could allow an online attacker to take control of a person's PC, a US security firm warned in an advisory released on Monday. Core Security Technologies described the vulnerabilities in an advisory released to several public security lists. While the company found a total of six flaws, it said only two have serious implications because they could allow an attacker to run code on the victim's computer. "However, the risk associated to each vulnerabilities is highly dependent on the environment in which ICQ is being used," said Ivan Arce, chief technology officer for Core. "Generally we don't make assumptions about risk in our advisories because we don't think the one-size-fits-all approach is valid." The vulnerable ICQ Pro 2003a client is the latest version of America Online's ICQ instant messaging software, which has been downloaded from silicon's sister operation Download.com more than 228 million times. Last year, the company offered a slimmed-down version called ICQ Lite. That application doesn't have the flaws, according to the advisory. No one from America Online's ICQ subsidiary was available on Monday to comment on the alleged flaws. The security researchers also noted that they had problems reaching those responsible for security at ICQ. "We also attempted to get specific security contact points from third parties that might have reported ICQ bugs before but had no success with this either, so after over a month of going back and forth with the advisory we finally decided to publish it unilaterally," he said. Three of the vulnerabilities, including one of the critical flaws, occurred in the software's email feature. A bug in the component could allow an attacker to use the way the software handles email to cause it to execute code, if the attacker can impersonate the user's email server. The other so-called critical vulnerability appeared in a feature of ICQ that allows automated updating, the group said. Because that component doesn't have adequate security, an attacker could pretend to be sending a legitimate update when in reality the upgrade is hostile code. Israeli company Mirabilis, which created the software, was bought by America Online in June 1998 and its name was changed to ICQ Inc. ICQ is short for "I Seek You." Robert Lemos writes News.com
ICQ flaws open PCs to attack
Could be nasty
Post your comment
In order to post a comment you need to be registered and logged in.
You can also log in with Facebook. Log in or create your silicon.com account below
Get silicon.com's daily newsletter
-
Enter your email to register
Featured white papers
-
Keeping flash drives secure with biometric authentication
People and organisations hand over their most valuable and vital personal information to government agencies. It is...
-
Detection systems guard against network intrusion
How do the different types of intrusion prevention system (IPS) work? Inline systems sit on the network like layer-two...
-
How malware threats have changed
These days, cybercriminals have four core weapons: targeted attacks, infecting websites, social networking and mobile...
Keep in touch with silicon.com
-
Connect with silicon.com on Facebook
Discuss the news of the day with the silicon.com team
-
Follow silicon.com on Twitter
Get regular updates from the silicon.com editors
-
Join the silicon.com LinkedIn networking group
Network with your peers and share expertise
Latest jobs
-
Managing Director - NBA3045
Managing Director – Cash and Transit Salary: £95K - £140K Basic, Bonus, Pension Scheme, Family...
-
Managing Director - NBA3045
Managing Director – Cash and Transit Salary: £95K - £140K Basic, Bonus, Pension Scheme, Family...
-
Managing Director - NBA3045
Managing Director – Cash and Transit Salary: £95K - £140K Basic, Bonus, Pension Scheme, Family...
silicon.com newsletters
-
Stay up to date with silicon.com newsletters
Keep up with the latest news and analysis from silicon.com with our free email newsletters
