ICQ vulnerable to bad updates, claims researcher

A security researcher is warning of a major vulnerability in instant messaging package ICQ that leaves users on all platforms open to attack, thanks to a poorly-implemented automatic update system.

Researcher Daniel Seither was investigating the messaging client, which has waned in popularity since AOL sold it to Russian investment firm Digital Sky Technologies back in April, but that still has a significant number of users, when he discovered that the in-built system for keeping the client up to date didn't take any measures to verify the legitimacy of the updates it receives.

While most software packages that download updates use some form of digital signing, ICQ happily downloads its updates and installs them without this all-important step - meaning ne'er-do-wells can replace the update code with a surprise of their own.

To publicise the extent of the issue, Seither has released a proof-of-concept package that turns third-party code into valid ICQ updates that will be installed and executed by the client.

In order to trick ICQ into installing his fraudulent packages, the DNS entry for update.icq.com must be overridden to point to a server under the control of the attacker - a process known as 'DNS hijacking' or 'DNS poisoning,' and something in which spyware and malware authors are well versed.

Unfortunately, the flaw rests with the overall design of the ICQ update platform, rather than a particular version - and Seither's advice for its many users is to switch to an alternative client until Digital Sky adds in some form of validity check to the update system.

More information on the vulnerability is available over on the US-CERT website.