The security hole in the antivirus library affects 18 products for desktops, servers and gateways, with the network products at "critical" risk, F-Secure said in a bulletin Thursday. By creating a specially crafted ARJ archive file, an intruder could use a buffer overflow to run arbitrary code on an unpatched machine, said Tony Magellanez, a systems engineer at F-Secure.
"At this point, it's a theoretical exploit," Magellanez said, noting that Internet Security Systems, which discovered the flaw, had not provided F-Secure with an example of malformed ARJ code. "ISS gave us details of how it could be done, and we created a patch."
The vulnerability could enable intruders to spy on confidential company information, ISS said in its advisory. It noted that several large vendors and Internet security providers use the antivirus library in their products.
F-Secure is urging all customers to apply the patch. Magellanez said businesses with managed security could use the policy manager to automatically send the update to individual users' machines. The fix has already been distributed to ISPs so they can get it out to members, Magellanez said.
On Tuesday, security software makerits customers to a vulnerability in its own antivirus library, also found by ISS. The scanning software flaw, which affects the majority of Symantec's antivirus and antispam products, could cause a virus to execute, rather than catch it.
Internet Security Systems could not immediately provide a representative to comment on the issue.