AOL has advised users of its ICQ instant message service to update to the latest version following the discovery of a bug in an older one.
Security researchers at Core Security Technologies reported yesterday that they had discovered the flaw in ICQ Pro 2003b, a version of the ICQ client that AOL still offers for download, billing it as a "veteran version" of the product for users who prefer the earlier look-and-feel.
Although the bug doesn't affect more recent ICQ software like ICQ 5.1, it could mean serious problems for old ICQ users, according to Max Caceres, director of product management at Core.
Researchers developed a proof-of-concept code that causes ICQ Pro 2003b to crash, which they believe could be exploited to run unauthorised software on a user's PC.
Hackers would attack a PC by sending a maliciously encoded instant message to any ICQ Pro 2003b user connected to the service. Victims "don't have to do anything at all," Caceres said. "Just by being there, someone can send them a message and they can be compromised."
Core has also discovered less-critical issues in AOL's ICQ Toolbar 1.3 for Internet Explorer. These flaws could allow attackers to change the toolbar's configuration settings or possibly even run scripting code by sending victims maliciously encoded RSS feeds.
AOL said it was working to fix the bugs, but the company has classified them as "minor and low-risk." A spokesman for the company said: "Any users who are concerned can simply upgrade to the latest version of ICQ or not load suspicious RSS feeds."