SAINT CorporationSAINT:977EB607B9BF00FAB4556D3A36A05E83AOL ICQ ActiveX DownloadAgent vulnerability
0.965 High
EPSS
Percentile
99.5%
Added: 12/15/2006
CVE: CVE-2006-5650
BID: 20930
OSVDB: 30220
Background
America Online (AOL) ICQ is a widely used program for communicating with other users on the Internet.
Problem
The **ICQPhone.SipxPhoneManager** ActiveX control, which is installed with ICQ, includes a function called **DownloadAgent** which downloads a file from a specified URL and executes it. This allows attackers to execute arbitrary commands by messaging an ICQ user.
Resolution
AOL issued an update on October 31, 2006 which fixes the vulnerability. The update is automatically applied when a user connects to the ICQ service.
References
<http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0087.html>
Limitations
Exploit works on AOL ICQ 5.1 and requires a user to click on a link to the exploit.
Platforms
Windows
Related
