January 19, 2006 8:36 AM PST

F-Secure issues patch for critical flaws

By Dawn Kawamoto
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Firms urged to use unofficial Windows patch
January 3, 2006; Flaw found in Sophos antivirus
July 28, 2005

Security vendor F-Secure issued a patch Thursday to deal with critical flaws in a number of its antivirus and Internet security products.

Flaws in the way F-Secure software handles ZIP and RAR data compression archives could allow an attacker to execute remote code on users' systems and also to bypass F-Secure's antivirus-scanning capabilities.

Vulnerabilities were found in 19 versions of F-Secure's antivirus products for Microsoft Windows, as well as in its products for Linux, according to F-Secure's advisory.

F-Secure was originally advised of the scanning vulnerability by independent researcher Thierry Zoller, said Mikko Hypponen, F-Secure's chief research officer. In researching the bug, he said, "we found that the vulnerabilities were much more serious. We found it was not just the scanning that could be bypassed but also (that) a malicious attacker could execute code."

Attackers could create a modified ZIP archive that could lead to a buffer overflow, allowing for the execution of code that could take over a user's system. The flaws could also allow attackers to create malformed RAR and ZIP archives that couldn't be properly scanned for malicious software.

The affected software includes F-Secure's Anti-Virus for Windows Servers versions 5.52 and earlier, Anti-Virus for MS Exchange versions 6.40 and earlier, and Anti-Virus for Linux Workstations versions 4.52 and earlier, as well as 16 other versions of the software.

"We learned of the scanning bug in early December, but because it affected a wide range of our products, we wanted to release a fix for all (of the affected versions) at once," Hypponen said.

F-Secure's "critical" security update is its first in 2006. Last February, the company issued updates for flaws found in its antivirus library.

F-Secure is the latest security vendor to find flaws in its software. Earlier this month, security giant Symantec issued a patch to fix vulnerabilities in its NortonWorks products that could allow an attacker to hide malicious software. And in October, Kaspersky Lab patched vulnerabilities in its antivirus library.

See more CNET content tagged:
F-Secure Corp., data compression, antivirus, attacker, flaw

Latest tech news headlines

Behind the prototyping of 'Spore'
Posted in News - Gaming and Culture by Daniel Terdiman

September 5, 2008 4:00 AM PDT
Was EarthLink's failed citywide Wi-Fi a blessing in disguise?
Posted in News - Wireless by Marguerite Reardon

September 5, 2008 4:00 AM PDT
Net-connected game consoles set to reach $8 billion in '13
Posted in Negative Approach by Dave Rosenberg

September 5, 2008 3:34 AM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Dell planning to ditch factories
CFO Brian Gladden has said the company has "more work to be done" to improve profitability. Now The Wall Street Journal reports that Dell is planning to lower costs by selling off its factories.
Gallery
Photos: Ron Paul's RNC alternative
As the Republican convention took place just miles away, a crowd rallied for the former presidential candidate and his message of limited government, ensured civil liberties, lower taxes, and peace.
Negative Approach
Net-connected game consoles set to reach $8 billion in '13
Revenue possibilities for games continue to grow, at least for the big console manufacturers, according to a new report.
Beyond Binary
Microsoft begins big ad push
Microsoft's multi-year push, estimated at $300 million, begins with a spot featuring Bill Gates and Jerry Seinfeld aired during Thursday's NFL game.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Wireless
Was EarthLink's failed citywide Wi-Fi a blessing in disguise?
Wireless Philadelphia, the nonprofit charged with providing broadband bundles to low-income families in Philadelphia, may be better off in the long run without EarthLink.
Video
Political party playlists
We know the Democrats and Republicans are split over policy issues, but does their musical taste fall down party lines too? And what kind of gadgets did they bring to the conventions to listen to their music? CNET reporter Kara Tsuboi finds out.
News - Gaming and Culture
Behind the prototyping of 'Spore'
Many of the components of Will Wright's highly anticipated evolution game started out as small concept projects that are now available to the public.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Photos: The brains behind Google Chrome
Here's a look at some of the engineers and executives who took the stage at the company's headquarters as they unveiled the new browser.
The Cheapskate
Record TV in style with a refurbished TiVo HD, $179.99 shipped
TiVo is offering refurb HD units for cheap, though you'll still have to pay for the TiVo service.
News - Politics and Law
McCain talks up oil drilling, green energy
Republican presidential candidate says we need to drill new wells now, while supporting innovative transportation technologies and "the use of wind, tide, solar and natural gas."