Summary:  On September 9 2006 Core Security Technologies (an Internet Security research and testing company) announced the presence of a vulnerability in a particular version (Pro 2003b) of the popular ICQ instant messaging client.  The vulnerability allows a remote attacker to crash the client by sending a specifically-crafted message (no actions on the part of the victim are necessary to set the attack in motion).  The application crash could potentially set the stage for system compromise.  

ICQ Pro 2003b is -not- the most current version of the client software (its original release date was October 2003) but it is still offered by ICQ for download because it retains the look and feel of the "original" Mirabilis ICQ client.  The ICQ client is also offered by America OnLine (AOL).  More recent versions of ICQ (ICQ 5.1, ICQ2Go) are not vulnerable to this exploit.

Recommended Actions:  AOL/ICQ recommend that users of ICQ Pro 2003b upgrade their client to the latest version (V5.1).  Because ICQ is a popular Instant Messaging platform for recreational and home-based users recipients of this alert are encouraged to share the information with family and friends (particularly longtime users of ICQ who may prefer to use the "old and classic" version of this client).

ITS Actions:  No additional specific actions are being taken to address this vulnerability at the present time.  An update will be issued if any new actions are taken.

Resources:

Core Security Technologies Advisory:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1509

Network World article on vulnerability:
http://www.networkworld.com/news/2006/090706-nasty-bug-found-in-classic.html?nlhtbug=0911bug1

ICQ Download page:
http://download.icq.com/download/