The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of F-Secure Anti-Virus: SQL execution via an ActiveX

Synthesis of the vulnerability 

An attacker can invite the victim to display a malicious web site with Internet Explorer, to load an ActiveX installed by F-Secure Anti-Virus, in order to execute SQL queries on ODBC drivers.
Vulnerable systems: F-Secure AV.
Severity of this threat: 3/4.
Creation date: 25/04/2013.
Références of this weakness: BID-59443, CERTA-2013-AVI-273, CVE-2013-7369, FSC-2013-1, VIGILANCE-VUL-12716.

Description of the vulnerability 

The F-Secure Anti-Virus product installs an ActiveX on the system. It connects to the ODBC driver, and transmits SQL queries.

However, it can be instantiated from Internet Explorer.

An attacker can therefore invite the victim to display a malicious web site with Internet Explorer, to load an ActiveX installed by F-Secure Anti-Virus, in order to execute SQL queries on ODBC drivers.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as F-Secure AV.

Our Vigil@nce team determined that the severity of this computer weakness alert is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer vulnerability.

Solutions for this threat 

F-Secure Anti-Virus: patch for ActiveX.
A patch is available:
  F-Secure Anti-Virus for Microsoft Exchange Server :
    ftp://ftp.f-secure.com/support/hotfix/fsav-mse/FSAVMSE910-HF02.fsfix
    ftp://ftp.f-secure.com/support/hotfix/fsav-mse/FSAVMSE910-HF02.jar
  F-Secure Anti-Virus for Windows Servers :
    ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.fsfix
    ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.jar
  F-Secure Anti-Virus for Citrix Servers :
    ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.fsfix
    ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.jar
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities watch. The Vigil@nce vulnerability database contains several thousand vulnerabilities.