Feeds

AOL ICQ in hacker risk alert

Buffer overflow needs to be slayed

  • alert
  • submit to reddit

Security for virtualized datacentres

A remotely exploitable buffer overflow glitch poses a risk for AOL ICQ users who have failed to apply a security fix, CERT warned yesterday.

It says attackers who are able to exploit the vulnerability may be able to execute arbitrary code with the privileges of the victim user.

An exploit is known to exist, but it is not believed to be widely distributed. Nor is there any evidence of crackers scanning the Internet in search of vulnerable machines.

Since ICQ is used by an estimated 122 million users, the vulnerability is still a concern.

The buffer overflow, which affects AOL Mirabilis ICQ Versions 2001A and prior, occurs during the processing of a Voice, Video & Games feature request message.

As with the AOL Instant Messenger AIM vulnerability (discovered earlier this month), AOL has modified the ICQ server infrastructure to filter malicious messages that attempt to exploit this vulnerability. However exploiting the vulnerability through other means (man-in-the-middle attacks, third-party ICQ servers, DNS spoofing, network sniffing, etc.) may still be possible.

AOL Time Warner is recommending all users of vulnerable versions of ICQ upgrade to 2001B Beta v5.18 Build #3659. ®

External links

CERT Advisory: buffer overflow in AOL ICQ

Related Stories

Google calls time on AIMSearch prank
AOL bungs buddy-list security hole
AIM gives up control of Windows machines
AOL buddy-hole fix has backdoor
AOL/Netscape sues MS
AOL shadows Microsoft on instant alerts

Remote control for virtualized desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.