This could be fixed tomorrow but that doesn't guarantee that users will download the fix tomorrow," he said.Registration and Installation Instructions ICQ "The problem with most vulnerabilities is user awareness. However, the more time that passes between the disclosure of the problems and a software fix from AOL, the more likely attackers are to exploit the ICQ vulnerabilities, Nuwere said.
Where ICQ is used in corporate environments, mail server filtering products can also be configured to stop messages containing long subject lines and other characteristics that might contain an attempted buffer overflow attack, Nuwere said.
In the absence of a software patch, users can best protect themselves by disabling the POP3 and "Features on Demand" services on their ICQ Pro client, Nuwere said. The client remains popular, however, and the company's Web site boasts of more than 150 million registered users. While ICQ was one of the first widely used instant messaging (IM) clients, it has since been supplanted in popularity by other clients including AOL's Instant Messenger and similar products from Microsoft and Yahoo. "We need information from the folks in Israel," he said. "All I can tell you is that we take all these reports very seriously and we're looking into it," said Derick Mains. spokesman for AOL seemed unfamiliar with the reported problems when asked about them on Tuesday. The product is still managed from Israel and a U.S. As of today we haven't heard of anything ," Nuwere said.ĪOL acquired the ICQ product with their purchase of Israeli company Mirabilis in 1998. "Our standard policy is to contact any vendor whose products we find problems with and give them 30 days notice. After receiving no response after a second and third round of notifications in late March and early April, the company went public with their discovery Monday. The company made repeated efforts to contact an AOL representative, sending information on their discovery to multiple support e-mail addresses at the company and polling online security discussion groups for contact names and numbers within AOL. However, given that level of coding knowledge, creating an exploit would be a simple matter requiring maybe a day or two of effort, Nuwere said.ĭespite the severity of the problems, Core Security received no response from AOL regarding the problems, which it first informed the company of in early March. The vulnerabilities are sophisticated enough that an attacker would need to have experience writing exploits to take advantage of them. While not every ICQ vulnerability discovered by Core Security is that serious, all of those found could be remotely exploited and could, at the least, cause the ICQ client to crash, Nuwere said.
0 kommentar(er)
