September 28, 2016

ICQ 7 Automatic Update Flaw Allows Remote Code Execution

ICQ LogoDaniel Seither, a student at Technische Universität Darmstadt in Germany, has discovered a flaw in the popular instant messaging application ICQ where remote code execution is possible due to a vulnerability in the automatic update mechanism.

The problem is that ICQ 7 does not check the authenticity of the update server or the validity of the updates that it downloads. By using DNS spoofing to impersonate the update server an attacker can deliver arbitrary files that are executed on the next launch of the ICQ client.

The flaw only affects ICQ 7 for Windows (including version 7.2) and other ICQ clients should not be affected since the problem is with the ICQ for Windows software update mechanism and not in the ICQ IM protocol itself.

Unfortunately the only workaround, at the moment, is to stop using ICQ for Windows until a fix is released, as ICQ 7 does not have the option to disable automatic updates.