ICQ IC-Screwed? Maybe not.

Core Security is warning its customers about a security hole in ICQ, but you should read the small print about this one.

In an advisory released today, Core said that the company’s researchers have found “severe vulnerabilities in AOL’s ICQ that could affect millions of users.”

According to Core, AOL ICQ Pro 2003b contains a heap overflow vulnerability in code for handling incoming message lengths. Successful attacks against this could lead to denial of service attacks and remote compromise of systems running vulnerable versions of the client, Core said.

HOWEVER, this hole has been fixed in the latest version of ICQ, 5.1, according to AOL spokesman Andrew Weinstein. Sure, the 2003b version of the software is staill available from AOL, as Core points out, but the percentage of users on the latest version is “substantial,” given that users are continually prompted to upgrade their client software by AOL once a new version is available.

Core is also reporting vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer. This one does affect the latest version of ICQ Toolbar, but the worst case scenario Core mentions is “attackers controlling a malicious web site to change the ICQ toolbar’s configuration settings,” or “malicious RSS feeds (that) execute scripting code in the context of the Feeds interface, and allow attackers to access (and, in specific cases, change) configuration settings.” OK, so the net here is your ICQ toolbar configuration settings are changed.

So is this FUD? Not really. Sounds like Core definitely uncovered some potentially dangerous holes in ICQ. But, if you’re using the latest client, you’re protected from the more serious of these. If you’re using the toolbar, you are vulnerable to RSS or Web based attacks, but the worst case scenario is a sudden and unannounced toolbar configuration change.

Weinstein said a fix for the first issue is in the current version and that the company considers the second a low risk issue. Not sure if that means that a fix is coming…or not. At the very least, AOL should be removing ICQ Pro 2003 from its download site, pending a fix for the hole Core identified.