Possible vulnerabilities of ICQ files opened in IE or OE

[<silentsupporter () poczta onet pl>]

Hello everybody,

Sorry for my lingo, but I had to learn it in a huge pain. 
However, if you don't like or cannot understand it, try 
to learn polish instead [gotcha =o)]

Maybe it's an old topic, but maybe not.

While playing with ICQ i have found that the program 
registers for its own use files with .uin extension. Of 
course it's not a big deal, but what's really interesting, 
is about to be described in a moment. 

.uin files may be opened from any homepage and 
Internet Explorer does not ask for confirmation while 
opening them.
After I had found it out,  the next idea was to:
-check other file extensions in Registry that are 
registered by ICQ 
-test if the browser opens them in the same way as 
above

ICQ registers the following extensions in Registry
- .pnq - ICQ Plugin
- .scm - ICQ Sound Scheme
- .uin - ICQ User
- .hpf - ICQ Home Page Factory

What I did was very trivial. I created some test files 
and then I clicked them one by one in Windows 
Explorer. The prize was waiting with a .hpf extension. 
A simple file with few lines of text inside, when 
clicked, it killed my ICQ at once.
So, the next step was to check if it works from the 
Internet. It did, aussi.

I am too busy at the moment to play with a debugger 
and look further for real exploits, but i bet it is 
possible to find some, because according to the way 
it worked while i've been testing, ICQ does not check 
the content of the files before usage. I bet that some 
vulnerable code should be really easy to create. 

Conclusion:
The first impression is that it may be used to kill ICQ 
only, but i bet that running specific code would be 
possible too. If you remember that it may be opened 
through Internet Explorer without notice, a lot of 
possible scenarios come to mind at once - does 
attachement for OE sound familiar =o)? It works.
Worms may use it easily.

To test what was described above:
- run ICQ
- go to my home page and open this link
http://sztolnia.pl/hack/icqkiller/icqkiller.hpf
it contains only few lines of text

Tested on 
IE 6.0
ICQ 2002a #3722

Off-topic:
As this is my first post to bugtraq i want to introduce 
myself in just a second. My name is Adam 
Blaszczyk, I am the author of two books about 
computer viruses and malware published in 1998 
and 2001 and around 20 articles about security and 
malware, published in leading computer magazines 
in Poland. I love my wife Ka Kee and i wait 
impatiently till she come to me from Hong Kong in 
June, 2002. I mention here cuz ... I miss her like hell, 
hope you don't mind guys =o)

Adam Blaszczyk
silentsupporter_poczta_onet_pl