SAN FRANCISCO: AOL on Monday urged users of older versions of its ICQ instant
messaging program to upgrade to the latest version because of a new security
hole that could leave computers vulnerable to hacking.
A bug has been found in the voice/video and games features in versions
earlier than version 2001b of ICQ, which was released in October, said Andrew
Weinstein, a spokesman for the Dulles, Virginia-based company.
The problem results when the application is flooded with more code than it
can handle, triggering a so-called "buffer overflow" error and
allowing extraneous code to be executed. That could allow someone to download
malicious code onto a targeted computer.
People using older versions of ICQ can download the newest version from
(http://www.icq.com/download/). Users of the newer version of ICQ do not have to
make any changes, according to Weinstein. The company has made some modification
to its servers to mitigate the risk to affected users, he said.
"The exploit, to our knowledge, never has been used in the wild,"
Weinstein added. A University of Pennsylvania student first discovered the hole
and it was posted to Bugtraq, a security e-mail list, a week ago, he said.
There are 125 million registered users of ICQ, Weinstein said. It is the
second such security flaw to be found in AOL instant messaging software this
month.
Two weeks ago a buffer overflow-related security hole was disclosed in AOL's
other instant messaging program -- AOL Instant Messager, also called AIM. That
hole could allow a malicious hacker to take control of computers through AIM's
advanced game-playing feature.
There are about 100 million registered AIM users, 29 million of which are
active users, according to an industry report.
(C) Reuters Limited.