Jan 17, 2011 18:25 GMT  ·  By

An important security issue has been identified in the popular ICQ instant messaging application, potentially allowing attackers to trick installations to download and execute fake updates.

The problem arises from the fact that ICQ updates are not downloaded from the developer's servers via a secure SSL connection and have no form of authentication except for a metadata file.

The vulnerability was discovered by a security researcher named Daniel Seither and affects all versions of ICQ 7 for Windows, up to version 7.2, build 3525.

The researcher also released a proof-of-concept ICQ update builder and a small HTTP server coded in Python to serve the rogue updates.

In order to pull off such an attack, hackers need to poison the DNS entry for update.icq.com. This can be done by adding a rogue definition to the Windows "hosts" file, changing the active DNS servers to rogue ones, compromising the local router or through more sophisticated DNS cache poisoning techniques.

Many of these methods are already employed by malware threats known as DNS hijackers, which proves they are not very hard to use.

ICQ checks for updates every time it starts and by default it sets itself to run when Windows boots up. This means that every time the computer is restarted there is an occasion to launch an attack.

"The next victim that is affected by the impersonation and that launches the ICQ client will now automatically download and install the fake update. On the next restart of the ICQ software, the fake ICQ.exe will be executed," the researcher explains.

This issue has been publicly disclosed because the vendor was unresponsive to reports sent via CERT. US-CERT also issued a warning about the vulnerability.

ICQ is currently owned by Russian investment firm Digital Sky Technologies, which acquired the product from AOL in April 2010.

The program is highly popular in Russia, where it currently leads in front of other instant messaging applications. Because automatic updates cannot be turned off, the researcher advises users to stop using ICQ until a fix is provided.