Vulnerability Note VU#680540

ICQ 7 fails to verify the origin of software updates

Original Release date: 13 Jan 2011 | Last revised: 13 Jan 2011


ICQ 7 does not verify the origin of automatic updates which may allow a remote attacker to execute arbitrary code.


According to ICQ's website: "ICQ, the pioneer of Instant Messaging (IM), now offers the optimal integration between Instant Messaging and Social Networks with the newest ICQ version – the Social Messaging tool that can be downloaded free of charge at" ICQ 7 checks for updates on start-up but does not verify the origin of updates through digital signatures or other means. An attacker who can successfully spoof using a man-in-the-middle attack, DNS poisoning, or some other means can cause the client to download a malicious software update.


By successfully spoofing the update site, an attacker may be able to execute arbitrary code with the privileges of the user.


We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Digital Sky TechnologiesAffected-13 Jan 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A


  • None


Thanks to Daniel Seither for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: Unknown
  • Date Public: 13 Jan 2011
  • Date First Published: 13 Jan 2011
  • Date Last Updated: 13 Jan 2011
  • Severity Metric: 13.16
  • Document Revision: 13


If you have feedback, comments, or additional information about this vulnerability, please send us email.