BetaONE will rise again!


Reply
  #1  
Old 8th May 03, 12:21 AM
Bads's Avatar
Bads Bads is offline
BetaONE Supporter
 
Join Date: Jul 2001
Location: Quebec
Posts: 1,710
Bads is an unknown quantity at this point
Several Security Flaws Found in ICQ

Instant messaging app could allow an attacker to gain control of your PC.

Paul Roberts, IDG News Service
Wednesday, May 07, 2003

Six security vulnerabilities in America Online's free ICQ Pro instant messaging client give attackers a number of new ways to gain remote control over machines running the software, according to an advisory published Monday by Core Security Technologies.

The vulnerabilities affect all versions of the Mirabilis ICQ Pro instant messaging client up to and including the Mirabilis ICQ Pro 2003a release. ICQ Lite, another free version of the product, is not affected by the vulnerabilities, according to Ejovi Nuwere, lead security engineer at Core Security.

Core Security found problems in a variety of ICQ components, including features for receiving e-mail messages, displaying banner advertisements and GIF format images, and even in the code used to handle product feature upgrades, according to the company.

All of the vulnerabilities were tested on machines running versions of the Windows operating system, but ICQ Pro clients for other platforms are also believed to be vulnerable, Nuwere said.

Serious Concerns
The most serious of the vulnerabilities were found in a POP3 mail client that is integrated with the ICQ Pro product. The client enables ICQ users to remotely retrieve e-mail messages from their mail server.

A format string vulnerability and a buffer overflow vulnerability in the client could enable a malicious hacker to remotely attack a machine running ICQ and execute malicious code on the system. Attackers could use improperly formatted e-mail messages to deliver the attack, according to Nuwere.

In testing, researchers were able to use the vulnerabilities to remotely capture and send out password and mail files from a machine running Microsoft's Windows NT operating system, he said.

While not every ICQ vulnerability discovered by Core Security is that serious, all of those found could be remotely exploited and could, at the least, cause the ICQ client to crash, Nuwere said.

The vulnerabilities are sophisticated enough that an attacker would need to have experience writing exploits to take advantage of them. However, given that level of coding knowledge, creating an exploit would be a simple matter requiring maybe a day or two of effort, Nuwere said.

Getting the Message?
Despite the severity of the problems, Core Security received no response from AOL regarding the problems, which it first informed the company of in early March.

The company made repeated efforts to contact an AOL representative, sending information on their discovery to multiple support e-mail addresses at the company and polling online security discussion groups for contact names and numbers within AOL. After receiving no response after a second and third round of notifications in late March and early April, the company went public with their discovery Monday.

"Our standard policy is to contact any vendor whose products we find problems with and give them 30 days notice. As of today we haven't heard of anything [from AOL]," Nuwere said.

AOL acquired the ICQ product with their purchase of Israeli company Mirabilis in 1998. The product is still managed from Israel and a U.S. spokesperson for AOL seemed unfamiliar with the reported problems when asked about them on Tuesday.

"All I can tell you is that we take all these reports very seriously and we're looking into it," said Derick Mains. "We need information from the folks in Israel," he said.

While ICQ was one of the first widely used instant messaging clients, it has since been supplanted in popularity by other clients including AOL's Instant Messenger and similar products from Microsoft and Yahoo. The client remains popular, however, and the company's Web site boasts of more than 150 million registered users.

Protect Yourself
In the absence of a software patch users can best protect themselves by disabling the POP3 and "Features on Demand" services on their ICQ Pro client, Nuwere said. Where ICQ is used in corporate environments, mail server filtering products can also be configured to stop messages containing long subject lines and other characteristics that might contain an attempted buffer overflow attack, Nuwere said.

However, the more time that passes between the disclosure of the problems and a software fix from AOL, the more likely attackers are to exploit the ICQ vulnerabilities, Nuwere said.

"The problem with most vulnerabilities is user awareness. This could be fixed tomorrow but that doesn't guarantee that users will download the fix tomorrow," he said.
__________________
Reply With Quote
  #2  
Old 8th May 03, 12:41 AM
KingCobra's Avatar
KingCobra KingCobra is offline
Senior Member
 
Join Date: Dec 2001
Location: Illinois
Posts: 2,409
KingCobra is on a distinguished road
Send a message via Yahoo to KingCobra
Thanks Bads!

Good reading. Another reason to dislike AOL.
__________________
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Real, KDE Patch Security Flaws NewsBot NeoWin News 0 27th Oct 04 09:30 PM
Windows v Linux security: the real facts NewsBot NeoWin News 0 22nd Oct 04 11:00 PM


All times are GMT +1. The time now is 08:18 PM.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.