F-Secure Anti-Virus Client Security Local Format String Vulnerability

Bugtraq ID:	23023
Class:	Input Validation Error
CVE:
Remote:	No
Local:	Yes
Published:	Mar 19 2007 12:00AM
Updated:	Mar 19 2007 09:24PM
Credit:	Deral Heiland from Layered Defense Research discovered this issue.
Vulnerable:	F-Secure Anti-Virus Client Security 6.03 F-Secure Anti-Virus Client Security 6.02
Not Vulnerable:

F-Secure Anti-Virus Client Security Local Format String Vulnerability

F-Secure Anti-Virus Client Security is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before using it in the format-specifier argument to a formatted-printing function.

Successfully exploiting this vulnerability may allow an attacker to access sensitive process memory or to crash the application. Code execution may potentially be possible, but this has not been confirmed.

F-Secure Anti-Virus Client Security Local Format String Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

F-Secure Anti-Virus Client Security Local Format String Vulnerability

Solution:
The vendor has released patches to address this issue. Please see the references for more information.


F-Secure Anti-Virus Client Security 6.03

• F-Secure FSAVCS603_HF02
  ftp://ftp.f-secure.com/support/hotfix/fsavcs/FSAVCS603_HF02-51943-sign ed.jar

F-Secure Anti-Virus Client Security 6.02

• F-Secure FSAVCS603_HF02
  ftp://ftp.f-secure.com/support/hotfix/fsavcs/FSAVCS603_HF02-51943-sign ed.jar

F-Secure Anti-Virus Client Security Local Format String Vulnerability

References:

• Client Security Home Page (F-Secure)
  
• F-Secure Anti-Virus Client Security Hotfixes (F-Secure)
  
• Layered Defense Research Advisory: F-Secure Anti-Virus Client Security 6.02 Form ([email protected])