What does this mean?
The incoming message window in the vulnerable ICQ client works like a mini web browser. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. Potentially an arbitrary HTML code could be injected.
There are two risks that have been identified:
1. Information disclosure
For example, an attacker can inject <IMG> tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.)
An attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link.
The vulnerability exists in the lastest build of ICQ 6.5, and may affect older versions as well.