Antivirus software supplier F-Secure has issued a patch
for its products after a Luxembourg-based security researcher
reported vulnerabilities in the way F-Secure software handled ZIP
and RAR format data compression archives.
The problem could allow an attacker to execute remote code on
users' systems and bypass F-Secure's antivirus-scanning
capabilities. F-Secure customers have now received an automated hot
fix to cure the problem.
The flaw is said to affect "millions" of F-Secure customers, but
it is believed the vulnerability has yet to be exploited.
The majority of F-Secure's antivirus products are affected,
including F-Secure Anti-Virus for Windows Servers 5.52 and F-Secure
Anti-Virus for Workstations 5.44, as well as earlier versions of
both products, together with antivirus scanners for Linux, Samba
and firewalls.
Details of the vulnerability were not disclosed publicly to give
F-Secure the opportunity to patch the flaws, which must be the most
practical way forward. Only when a company drags its feet over
patching, and refuses to recognise a problem should the adverse
publicity weapon be used.
