The Computer Emergency Response Team (Cert) yesterday released a warning about serious vulnerabilities in AOL Time Warner's ICQ chat tool.
The remotely exploitable buffer overflow affects AOL's Mirabilis ICQ versions 2001A and earlier.
Cert warned that attackers able to exploit the vulnerability may be able to execute arbitrary code on the target machine with the privileges of the victim.
Although Cert said that an exploit is known to exist, it stressed that it does "not believe it has been distributed in the wild". The organisation added: "We have not seen active scanning for this vulnerability, nor have we received any reports of this vulnerability being exploited."
According to figures from AOL, ICQ is used by around 122 million people.
The buffer overflow vulnerability can be exploited during the processing of a Voice Video & Games feature request message. This message is supposed to be a request from another ICQ user inviting the victim to participate interactively with a third-party application.
All versions prior to the latest build of 2001B are vulnerable, said the advisory. Version 2001B itself is vulnerable via a plug-in, but this problem will be resolved next time the user connects to an ICQ server.
AOL is recommending all users of vulnerable versions of ICQ to upgrade to 2001B Beta v5.18 Build #3659 immediately.
Alternative protection measures include blocking ICQ/SMS requests at the firewall as well as connections to login.icq.com and access to ports 4000/UDP, 5190/TCP and the TCP port that your ICQ client listens on, or blocking mistrusted messages by denying direct connections from anyone without authorisation.
Earlier this month AOL was forced to warn users over a serious flaw in its Instant Messenger software.
The Cert advisory can be found here.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away