ICQ Client Cross-Application Scripting (XAS)

ICQ Client Cross-Application Scripting (XAS)
by [email protected]

Severity:
Low

Potential Impact:
Remote script execution

ICQ client in some condition is vulnerable to remote script injection into used Internet Explorer in My
Computer Security Zone.

Detailed description

<quote src=http://www.security.nnov.ru/Jdocument327.html&gt;
Cross application scripting (XAS) is possible when an application executes data in a security context
different from the original content (presumably one with less security restrictions). For example the data
may be obtained from an un-trusted source (a remote web server) that is sent unfiltered into a trusted
application such as when web content is downloaded from a remote server, and then re-displayed on the local
host. Any application that downloads and then later displays and executes web content (such as JavaScript)
may be vulnerable to XAS.
</quote>

ICQ Client has very annoying advertising function. Banners are displayed in Internet Explorer COM object
embedded in main window, “Welcome Screen” and every “Message Session” dialogs. In some condition attacker
can replace HTML content in this forms with malicious script which will executed in My Computer security zone
of Internet Explorer.

Technical information will be published (three months maybe years) after the
vendor provide a patch.

Workaround

echo 127.0.0.1 ar.atwola.com >> c:\WINDOWS\system32\drivers\etc\hosts

Disclosure timeline
5/2005 Vulnerability discovered
4/2006 Last attempt to contact vendor
5/2006 Public disclosure

References
http://www.security.nnov.ru/Jdocument281.html
http://www.securitylab.ru/contest/212127.php