F-Secure Patches Web Console Bug

Security vendor F-Secure has patched a vulnerability that could possibly be exploited to run unauthorized code on its e-mail and Internet gateway server software.

Two of the company's products are affected by the flaw, which was patched Thursday: Secure's Anti-Virus for Microsoft Exchange 6.40 and Internet Gatekeeper, versions 6.40, 6.41, 6.42 and 6.50.

The bug affects the Web-based management console software used by these servers, said Mikko Hypponen, manager of antivirus research at F-Secure. By sending specially crafted messages to the Web console, a hacker could crash it.

This software is typically set to only accept connections from trusted computers, such as the workstation of the network administrator responsible for the server, but it can be configured to accept connections from any computer. F-Secure rates this bug as critical in this latter configuration.

No Attacks Reported

The flaw was discovered by a legitimate security researcher, Mikko Korppi, who notified F-Secure of the problem. The company does not know of any attackers who have exploited the problem.

Still, because the flaw is due to a "buffer overflow" condition, where the software ends up storing information in unexpected parts of the computer's memory, it could theoretically be used by attackers to run unauthorized software on unpatched servers, Hypponen said.

F-Secure isn't the only security vendor to patch its software of late. On Saturday, Symantec published a fix for a widely reported flaw in its corporate antivirus client software.