Overview
ICQ 7 does not verify the origin of automatic updates which may allow a remote attacker to execute arbitrary code.
Description
According to ICQ's website: "ICQ, the pioneer of Instant Messaging (IM), now offers the optimal integration between Instant Messaging and Social Networks with the newest ICQ version – the Social Messaging tool that can be downloaded free of charge at www.icq.com." ICQ 7 checks for updates on start-up but does not verify the origin of updates through digital signatures or other means. An attacker who can successfully spoof update.icq.com using a man-in-the-middle attack, DNS poisoning, or some other means can cause the client to download a malicious software update. |
Impact
By successfully spoofing the update site, an attacker may be able to execute arbitrary code with the privileges of the user. |
Solution
We are currently unaware of a practical solution to this problem. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Daniel Seither for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | None |
| Severity Metric: | 13.16 |
| Date Public: | 2011-01-13 |
| Date First Published: | 2011-01-13 |
| Date Last Updated: | 2011-01-13 18:37 UTC |
| Document Revision: | 13 |