ICQ Bug May Let Remote Users Inject and Execute Scripting Code
SecurityTracker Alert ID: 1016045|
SecurityTracker URL: http://securitytracker.com/id/1016045
(Links to External Site)
Updated: Dec 5 2009|
Original Entry Date: May 9 2006
Execution of arbitrary code via network, User access via network|
Version(s): 5.04 build 2321 and prior versions|
A vulnerability was reported in ICQ. A remote user can inject and execute arbitrary scripting code in the My Computer zone in certain cases.|
The ICQ client advertising function displays banner advertisements within an Internet Explorer COM object in some of the window components. Under certain conditions, a remote user can cause arbitrary scripting code to be rendered within that object and executed by the target user's browser in the My Computer security zone.
QQLan reported this vulnerability.
A remote user can cause arbitrary scripting code to be executed on the target user's system.|
No solution was available at the time of this entry.|
The report indicates that, as a workaround, you can set 'ar.atwola.com' to the loopback address '127.0.0.1' in the hosts file.
Vendor URL: www.icq.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [Full-disclosure] ICQ Client Cross-Application Scripting (XAS)|
QQLan QQlan@yandex.ru reported vulnerability in multiple versions of ICQ
Inc.' ICQ instant messenger client in a way it interacts with Microsoft
Author: QQlan <QQlan@yandex.ru>
Title: ICQ Client Cross-Application Scripting (XAS)
Vendor: ICQ Inc.
Versions: up to and including 5.04 build 2321
Vulnerability class: man-in-the-middle, against client
Vulnerability type: cross application scripting (My Computer zone)
Risk level: low (high, if unsecured shared network is used)
ICQ is probably most popular instant messaging application by ICQ Inc.
Under some conditions, ICQ client is vulnerable to remote script injection into
My Computer Security Zone of Internet Explorer component used to display
Cross application scripting (XAS) is possible when an application
executes data in a security context different from the original content
(presumably one with less security restrictions). For example the data
may be obtained from an un-trusted source (a remote web server) that is
sent unfiltered into a trusted application such as when web content is
downloaded from a remote server, and then re-displayed on the local
host. Any application that downloads and then later displays and
ICQ Client has very annoying advertising function. Banners are displayed
inside Internet Explorer COM object embedded into main window, “Welcome
Screen” and every “Message Session” dialogs. Under some condition
attacker can replace HTML content in this forms with malicious script
which will be executed in My Computer security zone of Internet
Technical information will be published (three months maybe years later)
after vendor provide a patch.
1. Press Ctrl+Shift+Esc
2. In File/Run menu type cmd.exe
3. In cmd.exe console type
echo 127.0.0.1 ar.atwola.com >> %SystemRoot%\system32\drivers\etc\hosts
5/2005 Vulnerability discovered
4/2006 Last attempt to contact vendor
5/2006 Public disclosure
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/