Security Advisories

FSC-2017-4: Universal Cross-Site Scripting in F-Secure SAFE For Windows

Description

By exploiting a flaw in the "Harmful web site blocked" page shown in web browser by F-Secure SAFE, it is possible to gain JavaScript execution on an arbitrary website.

Affected Products

Risk Level (Low/Medium/High/Critical): Medium

  • F-Secure SAFE 17.0 and below
  • Protection Service for Bsuiness (PSB) Computer Protection 17.5 and below

Platforms

Risk Level (Low/Medium/High/Critical): Medium

  • Windows

More Information

Improper URL handling by F-Secure Browsing Protection, when combined with multiple low severity issues, can be used to trigger universal cross-site scripting through the Browsing Protection block page in a web browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability.

This issue was disclosed to F-Secure through our Vulnerability Reward Program. No known attack has been observed in the wild at the time of the advisory release.

Mitigating Factors

HTTPS connection is not vulnerable to this attack.

Fix Available

Product Versions Download
F-Secure SAFE for Windows 17.0 and below

A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled.

PSB Computer Protection 17.5 and below A fix has been released in the automatic update channel since 1st November 2017. No user action is required if automatic update is enabled.

Credits

F-Secure Corporation would like to thank Juho Nurminen for bringing this issue to our attention.

Advisory history

Date Changes
11 December 2017
  • Updated to include PSB Computer Protection as affected product.
  • Updated "Fix Available" section to include PSB Computer Protection.
6 December 2017 Advisory first published.

 

Date Issued: 2017-12-06