> 1. I am not able to verify this vulnerability under Windows98, running ICQ > 99b Beta 3.19 Build 2569. I tried sending excessively long URL's using > the URL message send (I could not find a way of sending a URL during chat, > [snip...] I believe the buffer overflow is in the regular text messages, NOT the URL messages. ICQ usually parses and highlights URL's typed into messages. I just tried sending a really long URL in a message with the same version of ICQ under Windows 98 and the client crashed as soon as I clicked on the URL. It will also die if you open up the message in the history and click on the URL. > 2. I do not agree with your fix, however. There is a much simpler fix > available, go into the Preferences window, select the Events tab, select > the URL setting on the "Select Event to Configure" combobox and then > select "Auto Decline." This appears to shut down the http event. > [snip...] Since the problem is in the regular messages, you can't very well decline all of those. It is probably best just to auto-decline all the ones that aren't from people you know (i.e. those folks on your contact list). As far as I can tell, the overflow doesn't happen just by viewing the message - you have to click on the URL. If that's the case, you might just be able to avoid the problem by not clicking on those long urls.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:15 PDT