[ISN] Security group: ICQ is flawed

From: InfoSec News (isnat_private)
Date: Wed May 07 2003 - 02:15:22 PDT

  • Next message: InfoSec News: "[ISN] Stephen Glass Waits for Prime Time to Say 'I Lied'"

    Forwarded from: Ejovi Nuwere <ejoviat_private>
    
    http://zdnet.com.com/2100-1105_2-999870.html
    
    By Robert Lemos
    CNET News.com
    May 6, 2003, 
    
    Two serious flaws in America Online's ICQ software could allow an
    online attacker to take control of a person's PC, a Boston security
    firm warned in an advisory released Monday.
    
    Core Security Technologies described the vulnerabilities in an
    advisory released to several public security lists. While the company
    found a total of six flaws, it said only two have serious implications
    because they could allow an attacker to run code on the victim's
    computer.
    
    "However, the risk associated to each vulnerabilities is highly
    dependent on the environment in which ICQ is being used," said Ivan
    Arce, chief technology officer for Core. "Generally we don't make
    assumptions about risk in our advisories because we don't think the
    one-size-fits-all approach is valid."
    
    The vulnerable ICQ Pro 2003a client is the latest version of America
    Online's ICQ instant messaging software, which has been downloaded
    from CNET Network's Download.com site more than 228 million times.
    Last year, the company offered a slimmed down version called ICQ Lite.
    That application doesn't have the flaws, according to the advisory.
    
    No one from America Online's ICQ subsidiary was available Monday to
    comment on the alleged flaws. The security researchers also noted that
    they had problems reaching those responsible for security at ICQ.
    
    "We also attempted to get specific security contact points from third
    parties that might have reported ICQ bugs before but had no success
    with this either, so after over a month of going back and forth with
    the advisory we finally decided to publish it unilaterally," he said.
    
    Three of the vulnerabilities, including one of the critical flaws,
    occurred in the software's e-mail feature. A bug in the component
    could allow an attacker to use the way the software handles e-mail to
    cause it to execute code, if the attacker can impersonate the user's
    e-mail server.
    
    The other so-called critical vulnerability appeared in a feature of
    ICQ that allows automated updating, the group said. Because that
    component doesn't have adequate security, an attacker could pretend to
    be sending a legitimate update when in reality the upgrade is hostile
    code.
    
    Israeli company Mirabilis, which created the software, was bought by
    America Online in June 1998 and its name was changed to ICQ Inc. ICQ
    is short for "I Seek You."
    
    
    -- 
    ejovi nuwere
    http://www.ejovi.net
    http://www.hackercracker.net
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 07 2003 - 04:42:56 PDT