ICQ Client Cross-Application Scripting (XAS)

Type securityvulns
Reporter Securityvulns
Modified 2006-05-09T00:00:00


ICQ Client Cross-Application Scripting (XAS) by QQlan@yandex.ru

Severity: Low

Potential Impact: Remote script execution

ICQ client in some condition is vulnerable to remote script injection into used Internet Explorer in My Computer Security Zone.

Detailed description

<quote src=http://www.security.nnov.ru/Jdocument327.html> Cross application scripting (XAS) is possible when an application executes data in a security context different from the original content (presumably one with less security restrictions). For example the data may be obtained from an un-trusted source (a remote web server) that is sent unfiltered into a trusted application such as when web content is downloaded from a remote server, and then re-displayed on the local host. Any application that downloads and then later displays and executes web content (such as JavaScript) may be vulnerable to XAS. </quote>

ICQ Client has very annoying advertising function. Banners are displayed in Internet Explorer COM object embedded in main window, “Welcome Screen” and every “Message Session” dialogs. In some condition attacker can replace HTML content in this forms with malicious script which will executed in My Computer security zone of Internet Explorer.

Technical information will be published (three months maybe years) after the vendor provide a patch.


echo ar.atwola.com >> c:\WINDOWS\system32\drivers\etc\hosts

Disclosure timeline 5/2005 Vulnerability discovered 4/2006 Last attempt to contact vendor 5/2006 Public disclosure

References http://www.security.nnov.ru/Jdocument281.html http://www.securitylab.ru/contest/212127.php