ICQ’s critical flaw allows attackers to serve malicious software update

ICQ – the popular instant messaging application – has a gaping security hole that can allow attackers to execute malicious code on the targeted system, says researcher Daniel Seither.

The flaw is affects the application’s automatic update mechanism, and affects all versions of ICQ 7 for Windows up to the latest one.

The problem lays in the fact that the application doesn’t verify the identity of the update server or the origin of updates through digital signatures or similar means.

“By impersonating the update server (think DNS spoofing), an attacker can act as an update server of its own and deliver arbitrary files that are executed on the next launch of the ICQ client,” explained Seither in a BugTraq post. “Since ICQ is automatically launched right after booting Windows by default and it checks for updates on every start, it can be attacked very reliably.”

He even developed (and published) a PoC ICQ update builder and shared step-by-step instructions on how to run a HTTP server to serve the malicious updates.

Since there is no way to switch off the automatic updating mechanism, Seither advises users to stop using the application until a fix is issued.