Security Advisories

FSC-2016-2: Multiple browser plugin vulnerabilities with F-Secure KEY for Desktop

Description

Vulnerabilities in the browser plugin feature of F-Secure KEY for Desktop could allow an attacker to remotely read user data, including passwords.

Affected Products

Risk Level (Low/Medium/High/Critical): High

  • F-Secure KEY for Desktop 4.3.101 - 4.3.129

Platforms

Risk Level (Low/Medium/High/Critical): High

  • Windows
  • Mac

More Information

The browser plugin feature of F-Secure KEY for Desktop was introduced in version 4.3.101. In versions prior to 4.3.130, the plugin is susceptible to multiple vulnerabilities, involving cross-site scripting (XSS), cross-site request forgery (CSRF) and reuse of the API key (in order of lowest to highest risk).

Attack methods combining exploits to target these vulnerabilities could lead to information disclosure, where the user data (including passwords) may be remotely read by an attacker. Potentially, a sufficiently layered attack method could also lead to remote code execution.

The issues were directly disclosed to F-Secure and no known attacks have been observed in-the-wild at the time of the advisory release.

Mitigating Factors

F-Secure KEY for Desktop must be unlocked prior to successful exploitation.

User interaction is also required in certain attack methods prior to successful exploitation.

Fix Available

Component Versions Remarks
F-Secure KEY for Windows 4.3.131

Fix is available in the normal application update channel; apply by updating when prompted by the application.

For a new installation, the installer can be downloaded from https://download.sp.f-secure.com/key/f-secure_key_win.msi

As a precaution and at their own discretion, users may elect to change the passwords stored in the application.

F-Secure KEY for Mac 4.3.131

Fix is available in the normal application update channel; apply by updating when prompted by the application.

For a new installation, the installer can be downloaded from https://download.sp.f-secure.com/key/f-secure_key_mac.dmg

As a precaution and at their own discretion, users may elect to change the passwords stored in the application.

Credits

F-Secure Corporation would like to thank Tuomas Blomqvist for bringing this issue to our attention.

Date Issued: 2016-07-19