{"vuid":"VU#680540","idnumber":"680540","name":"ICQ 7 fails to verify the origin of software updates","keywords":["ICQ 7","arbitrary code execution"],"overview":"ICQ 7 does not verify the origin of automatic updates which may allow a remote attacker to execute arbitrary code.","clean_desc":"According to ICQ's website: \"ICQ, the pioneer of Instant Messaging (IM), now offers the optimal integration between Instant Messaging and Social Networks with the newest ICQ version – the Social Messaging tool that can be downloaded free of charge at www.icq.com.\" ICQ 7 checks for updates on start-up but does not verify the origin of updates through digital signatures or other means. An attacker who can successfully spoof update.icq.com using a man-in-the-middle attack, DNS poisoning, or some other means can cause the client to download a malicious software update.","impact":"By successfully spoofing the update site, an attacker may be able to execute arbitrary code with the privileges of the user.","resolution":"We are currently unaware of a practical solution to this problem.","workarounds":"","sysaffected":"","thanks":"Thanks to Daniel Seither for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":[],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2010-11-15T18:15:48Z","publicdate":"2011-01-13T00:00:00Z","datefirstpublished":"2011-01-13T18:37:54Z","dateupdated":"2011-01-13T18:37:55Z","revision":13,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"15","cam_impact":"20","cam_easeofexploitation":"12","cam_attackeraccessrequired":"15","cam_scorecurrent":"13.1625","cam_scorecurrentwidelyknown":"23.2875","cam_scorecurrentwidelyknownexploited":"43.5375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":13.1625,"vulnote":null}