Six security vulnerabilities in America Online's (AOL's) ICQ Pro instant messaging client give attackers a number of new ways to gain remote control over machines running the software, according to an advisory published Monday by Core Security Technologies.
The vulnerabilities affect all versions of the Mirabilis ICQ Pro instant messaging client up to and including the Mirabilis ICQ Pro 2003a release. ICQ Lite, another free version of the software, is not affected by the vulnerabilities, according to Ejovi Nuwere, lead security engineer at Core Security.
Core Security found problems in a variety of ICQ components, including features for receiving e-mail messages, displaying banner advertisements and GIF format images, and even in the code used to handle product feature upgrades, according to the company.
All of the vulnerabilities were tested on machines running versions of the Windows operating system, but ICQ Pro clients for other platforms are also believed to be vulnerable, Nuwere said.
The most serious of the vulnerabilities were found in a Post Office Protocol version 3 (POP3) mail client that is integrated with the ICQ Pro product. The client enables ICQ users to remotely retrieve e-mail messages from their mail server.
A format string vulnerability and a buffer overflow vulnerability in the client could enable a malicious hacker to remotely attack a machine running ICQ and execute malicious code on the system. Attackers could use improperly formatted e-mail messages to deliver the attack, according to Nuwere.
In testing, researchers were able to use the vulnerabilities to remotely capture and send out password and mail files from a machine running Microsoft's Windows NT operating system, he said.
While not every ICQ vulnerability discovered by Core Security is that serious, all of those found could be remotely exploited and could, at the least, cause the ICQ client to crash, Nuwere said.
The vulnerabilities are sophisticated enough that an attacker would need to have experience writing exploits to take advantage of them. However, given that level of coding knowledge, creating an exploit would be a simple matter requiring maybe a day or two of effort, Nuwere said.
Despite the severity of the problems, Core Security received no response from AOL regarding the problems, which it first informed the company of in early March.
The company made repeated efforts to contact an AOL representative, sending information on their discovery to multiple support e-mail addresses at the company and polling online security discussion groups for contact names and numbers within AOL. After receiving no response after a second and third round of notifications in late March and early April, the company went public with their discovery Monday.
"Our standard policy is to contact any vendor whose products we find problems with and give them 30 days notice. As of today we haven't heard of anything (from AOL)," Nuwere said.
AOL acquired the ICQ product with their purchase of Israeli company Mirabilis in 1998. The product is still managed from Israel and a U.S. spokesman for AOL seemed unfamiliar with the reported problems when asked about them on Tuesday.
"All I can tell you is that we take all these reports very seriously and we're looking into it," said Derick Mains. "We need information from the folks in Israel," he said.
While ICQ was one of the first widely used instant messaging (IM) clients, it has since been supplanted in popularity by other clients including AOL's Instant Messenger and similar products from Microsoft and Yahoo. The client remains popular, however, and the company's Web site boasts of more than 150 million registered users.
In the absence of a software patch users can best protect themselves by disabling the POP3 and "Features on Demand" services on their ICQ Pro client, Nuwere said. Where ICQ is used in corporate environments, mail server filtering products can also be configured to stop messages containing long subject lines and other characteristics that might contain an attempted buffer overflow attack, Nuwere said.
However, the more time that passes between the disclosure of the problems and a software fix from AOL, the more likely attackers are to exploit the ICQ vulnerabilities, Nuwere said.
"The problem with most vulnerabilities is user awareness. This could be fixed tomorrow but that doesn't guarantee that users will download the fix tomorrow," he said.