Added: 12/15/2006
CVE: CVE-2006-5650
BID: 20930
OSVDB: 30220
America Online (AOL) ICQ is a widely used program for communicating with other users on the Internet.
The **ICQPhone.SipxPhoneManager**
ActiveX control, which is installed with ICQ, includes a function called **DownloadAgent**
which downloads a file from a specified URL and executes it. This allows attackers to execute arbitrary commands by messaging an ICQ user.
AOL issued an update on October 31, 2006 which fixes the vulnerability. The update is automatically applied when a user connects to the ICQ service.
<http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0087.html>
Exploit works on AOL ICQ 5.1 and requires a user to click on a link to the exploit.
Windows