F-Secure applies its own band-aid

Security software maker F-Secure issued a patch Thursday for security flaws in two of its products, F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper.

The security fixes are designed to address a buffer overflow flaw that could occur before the user authentication process begins. The buffer overflow could crash the Web console and potentially allow malicious attackers to execute arbitrary code, in certain circumstances.

Web consoles configured to allow connections from all hosts face a "critical" risk, whereas consoles set to allow connections from trusted or specific hosts within a corporate network face a "medium" risk, said an F-secure spokesman.

"The number of our customers who set it at 'all hosts' has to be low," said Mikko Hypponen, F-Secure chief research officer. "By default, our setting allows only the local host, though the more typical setting would be to allow selected hosts to connect."

F-Secure products that have the vulnerabilities include Anti-Virus for Microsoft Exchange version 6.40, as well as its Internet Gatekeeper versions 6.50, 6.42, 6.41 and 6.40.