|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
F-Secure Anti-Virus: code execution via fsresh.dll
Synthesis of the vulnerability
An attacker can invite the victim to display a malicious HTML document calling the F-Secure Gadget Resource Handler ActiveX, in order to execute code on his computer.
Impacted software: F-Secure AV.
Severity of this computer vulnerability: 3/4.
Consequences of an attack: user access/rights.
Attacker's origin: document.
Creation date: 24/08/2011.
Références of this announce: BID-49293, FSC-2011-3, VIGILANCE-VUL-10948.
Description of the vulnerability
F-Secure products install the F-Secure Gadget Resource Handler ActiveX (fsresh.dll).
However, the initialize() method of this ActiveX does not check the size of its second parameter. An attacker can thus use a long parameter, in order to corrupt the memory.
An attacker can therefore invite the victim to display a malicious HTML document calling the F-Secure Gadget Resource Handler ActiveX, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides an application vulnerability workaround. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.