Remote Code Execution Vulnerability Patched in F-Secure Antivirus

F-Secure has patched a remote code execution vulnerability that affected several of its security products and exposed users to drive-by download attacks.

The buffer overflow vulnerability was discovered by security consultant Anil Aphale, aka 41.w4r10r, and is located in the F-Secure Gadget Resource Handler ActiveX Control (fsresh.dll).

According to vulnerability management vendor Secunia, which rates this vulnerability as highly critical, the flaw is caused by a boundary error in the handling of the "initialize()" method.

The vulnerability can be exploited by tricking victims into visiting a specially-crafted web page using Internet Explorer.

F-Secure Anti-Virus 2010 and 2011, F-Secure Internet Security 2010 and 2011, as well as products based on F-Secure Protection Service for Consumers version 9 and F-Secure Protection Service for Business - Workstation security version 9 are affected by this flaw.

However, end users don't need to take any action if they have their products configured to update themselves automatically, which is the default behavior.

"These products are affected by the vulnerability, but the needed hotfix is distributed automatically by the update system. End users do not need to take any actions," the F-Secure advisory reads.

Like any other software, antivirus products can suffer from security vulnerabilities and sometimes these can have a high risk. It is nevertheless ironic that an application designed to protect users from drive-by downloads ends up enabling such attacks.

This is similar to the time when the Internet Explorer XSS filter was found vulnerable to cross-site scripting attacks. The vulnerability is a reminder of why people should never rely on a single layer of protection.

Proof-of-concept exploit code is publicly available, but the likelihood of it being exploited in-the-wild extremely low considering the automatic patching process and the limited number of potential targets.