The update was immediately applied to ICQ version 5.1 users when they logged on to the network, according to a TippingPoint advisory. Researchers from TippingPoint's Zero Day Initiative reported the flaw to AOL on Sept. 20, but held back information from the public because the vulnerability could easily led to the spread of a worm, TippingPoint researchers said. The flaw exists in the DownloadAgent function of the IM service's ICQPhone.SipxPhoneManager ActiveX control. Hackers can use a malicious ICQ avatar to exploit the flaw, according to TippingPoint's advisory.
Terri Forslof, manager of security response for TippingPoint, told SCMagazine.com today that ICQ users who have not logged in to the service this month must still be vigilant against attacks. "What I think is particularly interesting about (the flaw) is that customers who have not logged in are not protected, and they can still be attacked by a website," she said. "Most people think that if they're not using the service, they're not at risk. In this case, that's not true." Dave Endler, director of security research for TippingPoint, said attackers can use both websites and malicious IM messages to exploit the flaw.
"This issue is unique in that it can be exploited through a web browser as well as the ICQ network itself. ICQ users who have not logged into the ICQ network since Oct. 31 can still be affected through a malicious website because it does not require user interaction," he said. "The same six degrees of freedom that connects everyone on the ICQ network can be leveraged by a worm to spread autonomously and quickly."
Click here to email Frank Washkuch Jr.