What does this mean?
The incoming message window in the vulnerable ICQ client works like a mini web browser. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. Potentially an arbitrary HTML code could be injected.
There are two risks that have been identified:
1. Information disclosure
For example, an attacker can inject <IMG> tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.)
An attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link.
The vulnerability exists in the lastest build of ICQ 6.5, and may affect older versions as well.
ICQ (pronounced “I seek you”) is the grand-daddy of all instant messaging programs. Yep… Long before MSN or Yahoo, there was ICQ. It may not have been pretty, but if you wanted instant messaging, that’s what you probably used.
ICQ has grown over the years and claims over 100 million users worldwide. More and more features were added to ICQ, and many people avoid it now because of it’s complexity and “feature bloat;” unnecessary and unwanted features. Other loyal fans swear by the little upstart, and continue to use it even though it’s now a part of giant AOL/Time Warner.
You might think that since AIM and ICQ are both owned by AOL that they would together, but sadly, this is not the case. The good news (for ICQ users, at least) is that AOL seems content to let ICQ continue to grow and develop independently of AIM, so you can expect support and updates for at least the foreseeable future.
Good news for ICQ fans! Tired of the giant download and system requirements of the full-blown version of ICQ? Well the good folks at ICQ have felt your pain, and responded with a new, leaner and cleaner version: ICQ Lite! They’ve stripped down a lot of the bells-and-whistles and created a small download with a much cleaner, easier-to-use interface. Bravo!!! You can check out some screen shots here in our ICQ forum.