ICQ 7 fails to verify the origin of software updates

ID VU:680540
Type cert
Reporter CERT
Modified 2011-01-13T18:37:00



ICQ 7 does not verify the origin of automatic updates which may allow a remote attacker to execute arbitrary code.


According to ICQ's website: "ICQ, the pioneer of Instant Messaging (IM), now offers the optimal integration between Instant Messaging and Social Networks with the newest ICQ version – the Social Messaging tool that can be downloaded free of charge at __www.icq.com." ICQ 7 checks for updates on start-up but does not verify the origin of updates through digital signatures or other means. An attacker who can successfully spoof update.icq.com using a man-in-the-middle attack, DNS poisoning, or some other means can cause the client to download a malicious software update.


By successfully spoofing the update site, an attacker may be able to execute arbitrary code with the privileges of the user.


We are currently unaware of a practical solution to this problem.

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Digital Sky Technologies Affected

Updated: January 13, 2011



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
Base | |
Temporal | |
Environmental | |



Thanks to Daniel Seither for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: | None
Severity Metric: | 13.16
Date Public: | 2011-01-13
Date First Published: | 2011-01-13
Date Last Updated: | 2011-01-13 18:37 UTC
Document Revision: | 13