Critical hole in ICQ instant messenger
Manipulated messages can make other users' ICQ 6 instant messenger clients crash. The cause of the problem is a format-string vulnerability when HTML messages containing a format-string specifier such as %020000000p
are processed. Security services providers Secunia and FrSIRT reckon that the hole can also be exploited to inject and execute code. They don't say whether there has already been an exploit or whether their assumption is based on their own analyses.
ICQ Version 6 Build 6043 is affected, but it's very likely that other versions also contain the flaw. There is no update as yet. A certain degree of protection against random attacks can be had by only accepting messages from known contacts and deleting unfamiliar names from the list. Messages from unknown persons should be trashed.
In his blog entry, the original finder of the bug recalls a vulnerability in Internet Explorer 6 and 7 (German text), discovered last year but still unpatched, which causes the browser to crash. The following line in an HTML document is all that's needed:
<style>*{position:relative}</style><table><input></table>
Since ICQ uses Microsoft's browser to render HTML messages, it too is vulnerable at this point.
See also:
- ICQ6 User crashen [crashing ICQ6 users], blog entry on Raid Rush (German text)
(mba)