To be safe until they do, I suggest using an alternate, compatible IM client such as Trillian, Adium, Pidgin or Digsby. The vulnerability exists in the lastest build of ICQ 6.5, and may affect older versions as well.Īs of yet, ICQ has not issued an update to fix this vulnerability. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link. There are two risks that have been identified:įor example, an attacker can inject tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.)Īn attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. Potentially an arbitrary HTML code could be injected. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The incoming message window in the vulnerable ICQ client works like a mini web browser. reports that popular instant messenger ICQ (“I seek you”), version 6.5 is vulnerable to HTML-injection attack.
0 kommentar(er)
