Secunia Advisory: SA29138
Release Date: 2008-02-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software:ICQ 6.x
Description:
B0B has discovered a vulnerability in ICQ, which can be exploited by malicious people to compromise another user's system.
The vulnerability is caused due to a format string error when generating HTML code to display messages in the embedded Internet Explorer component, which can be exploited by sending specially crafted messages containing format string specifiers to another user.
Successful exploitation allows the execution of arbitrary code.
The vulnerability is confirmed in ICQ 6 build 6043. Other versions may also be affected.
Solution:
Enable the "Accept messages only from contacts" option and remove untrusted users from your contact list.
If the "Ask me before displaying messages from people I don't know" option is enabled, discard incoming messages.
Bollettino Sicurezza
Release Date: 2008-02-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software:ICQ 6.x
Description:
B0B has discovered a vulnerability in ICQ, which can be exploited by malicious people to compromise another user's system.
The vulnerability is caused due to a format string error when generating HTML code to display messages in the embedded Internet Explorer component, which can be exploited by sending specially crafted messages containing format string specifiers to another user.
Successful exploitation allows the execution of arbitrary code.
The vulnerability is confirmed in ICQ 6 build 6043. Other versions may also be affected.
Solution:
Enable the "Accept messages only from contacts" option and remove untrusted users from your contact list.
If the "Ask me before displaying messages from people I don't know" option is enabled, discard incoming messages.
Bollettino Sicurezza