Threat presented by F-Secure ActiveX component
F-Secure warns that a vulnerability in its Anti-Virus and Internet Security products allows systems to become infected with malicious code when users visit a specially crafted web site. Vulnerable versions include 2010 editions and the current version 2011 release. Version 9 of F-Secure Protection Service (Consumer and Business) is also affected.
The vulnerability is contained in the fsresh.dll ActiveX module, which means that it only affects those who use Internet Explorer and browsers that are based on it. The 'high-risk' hole potentially allows attackers to overwrite the troubleshooting routine and execute arbitrary code. It was discovered by security expert Anil Aphale, who has already published an exploit.
A patch that F-Secure has deployed via the affected programs' auto-update feature in the past few days fixes the problem. Those who use the programs in question should, therefore, ensure that their systems have received the latest updates.