F-Secure applies its own band-aid
The security fixes are designed to address a buffer overflow flaw that could occur before the user authentication process begins. The buffer overflow could crash the Web console and potentially allow malicious attackers to execute arbitrary code, in certain circumstances.
Web consoles configured to allow connections from all hosts face a "critical" risk, whereas consoles set to allow connections from trusted or specific hosts within a corporate network face a "medium" risk, said an F-secure spokesman.
"The number of our customers who set it at 'all hosts' has to be low," said Mikko Hypponen, F-Secure chief research officer. "By default, our setting allows only the local host, though the more typical setting would be to allow selected hosts to connect."
F-Secure products that have the vulnerabilities include Anti-Virus for Microsoft Exchange version 6.40, as well as its Internet Gatekeeper versions 6.50, 6.42, 6.41 and 6.40.