Vulnerability Note VU#680540

ICQ 7 fails to verify the origin of software updates

Original Release date: 13 Jan 2011 | Last revised: 13 Jan 2011

Overview

ICQ 7 does not verify the origin of automatic updates which may allow a remote attacker to execute arbitrary code.

Description

According to ICQ's website: "ICQ, the pioneer of Instant Messaging (IM), now offers the optimal integration between Instant Messaging and Social Networks with the newest ICQ version – the Social Messaging tool that can be downloaded free of charge at www.icq.com." ICQ 7 checks for updates on start-up but does not verify the origin of updates through digital signatures or other means. An attacker who can successfully spoof update.icq.com using a man-in-the-middle attack, DNS poisoning, or some other means can cause the client to download a malicious software update.

Impact

By successfully spoofing the update site, an attacker may be able to execute arbitrary code with the privileges of the user.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Digital Sky TechnologiesAffected-13 Jan 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

  • None

Credit

Thanks to Daniel Seither for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: Unknown
  • Date Public: 13 Jan 2011
  • Date First Published: 13 Jan 2011
  • Date Last Updated: 13 Jan 2011
  • Severity Metric: 13.16
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.