F-Secure has patched a vulnerability that could possibly be used to run unauthorised code on its email and internet gateway server software.
Two of the company's products are affected by the flaw, which was patched yesterday: Secure's Anti-Virus for Microsoft Exchange 6.40 and Internet Gatekeeper 6.40, 6.41, 6.42 and 6.50.
The bug affects the web-based management console software used by these servers, said Mikko Hyppönen, manager of antivirus research at F-Secure. By sending specially crafted messages to the web console, a hacker could crash it.
This software is typically set to accept connections only from trusted computers, such as the workstation of the network administrator responsible for the server, but it can be configured to accept connections from any computer. F-Secure rates this bug as critical in this latter configuration.
The flaw was discovered by a legitimate security researcher, Mikko Korppi, who notified F-Secure of the problem. The company does not know of any attackers who have exploited the problem.
Nonetheless, because the flaw is due to a "buffer overflow" condition, where the software ends up storing information in unexpected parts of the computer's memory, it could theoretically be used by attackers to run unauthorised software on unpatched servers, Hyppönen said.
F-Secure isn't the only security vendor to patch its software of late. On Saturday, Symantec published a fix for a widely reported flaw in its corporate antivirus client software.