search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AOL ICQ Pro fails to properly handle incoming message lengths

Vulnerability Note VU#400780

Original Release Date: 2006-09-11 | Last Revised: 2006-09-11


A buffer overflow vulnerability in ICQ may allow a remote attacker to execute arbitrary code or create a denial-of-service condition.


ICQ is a instant messaging application that is maintained by AOL.

A buffer overflow vulnerability in ICQ Pro 2003b may allow a remote, unauthenticated attacker to execute arbitrary code or create a denial-of-service condition. By sending a specially crafted message to a vulnerable ICQ client, an attacker can trigger the overflow.

This vulnerability may also be exploited by convincing a user to connect to a malicious server.


A remote, unauthenticated attacker can execute arbitrary code with the privileges of the user who is running ICQ or create a denial-of-service condition.


AOL has addressed this issue in version 5.1 of the ICQ client.

Limit privileges

Running the ICQ client with reduced privileges may help mitigate the effects of this vulnerability. Users with administrator access can run ICQ with reduced privileges by following the instructions in Microsoft knowledgebase article 294676.

Vendor Information


America Online, Inc. Affected

Updated:  September 11, 2006



Vendor Statement


AOL has recently been made aware of a vulnerability in the ICQ 2003b client build #3916. Successful exploitation of the vulnerability may allow an attacker to remotely execute commands.

Affected Products and Applications

The following AOL/ICQ software products are affected by this issue:

* ICQ Pro 2003b Build #3916 and previous version

Solutions / Workarounds

1. AOL and ICQ recommend that users upgrade to the latest version of the ICQ client: ICQ 5.1

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group Score Vector



Thanks to CoreLabs for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 9.41
Date Public: 2006-09-07
Date First Published: 2006-09-11
Date Last Updated: 2006-09-11 19:44 UTC
Document Revision: 46

Sponsored by CISA.