Security Advisories
FSC-2014-5: Remote File System Access
Description
A vulnerability in the Online Safety and Browsing Protection features of certain F-Secure security products could allow an attacker to remotely read files on the user's file system. No attacks have been reported in the wild.
Affected Products
- Risk Level (Low/Medium/High/Cricital) Critical
- F-Secure Internet Security 2014
- F-Secure Internet Security 2013
- Safe Anywhere for PC 12.1 - 14.2
- Client Security 10.0 - 11.51
- Email and Server Security 10.00 - 11.00
- Server Security 10.00 - 11.00
- Protection Service for Business Workstation Security 10.00 - 10.10
- Protection Service for Business Email and Server Security 10.00
- Protection Service for Business Server Security 10.00
Platforms
- Risk Level (Low/Medium/High/Cricital) Critical
- All supported platforms for the affected products
Fix Available
| Product | Versions | Fix |
|---|---|---|
| F-Secure Internet Security | 2013 - 2014 | Fix is available in the automatic update channel. In some cases, a system reboot may be required; otherwise, no user actions are needed. |
| Safe Anywhere for PC | 12.1 - 14.2 | Fix is available in the automatic update channel. In some cases, a system reboot may be required; otherwise, no user actions are needed. |
| Client Security | 10.00 - 11.51 | Fix is available in the automatic update channel. No user actions needed if automatic updates are enabled. |
| Email and Server Security | 10.00 - 11.00 | Fix is available in the automatic update channel. No user actions needed if automatic updates are enabled. |
| Server Security | 10.00 - 11.00 |
Fix is available in the automatic update channel. No user actions needed if automatic updates are enabled. |
| Protection Service for Business Workstation Security |
10.00 - 10.10 | Fix is available in the automatic update channel. No user actions needed if automatic updates are enabled. |
| Protection Service for Business Email and Server Security |
10.00 | Fix is available in the automatic update channel. No user actions needed if automatic updates are enabled. |
| Protection Service for Business Server Security |
10.00 | Fix is available in the automatic update channel. No user actions needed if automatic updates are enabled. |
Credits
F-Secure Corporation would like to express its sincere gratitude to Juho Ranta, Henrik Kouri, Jani Manninen, Jussi-Pekka Erkkilä and Lauri Vehviläinen from 2NS – Second Nature Security for bringing this issue to our attention.
Advisory Changes
| Date | Changes |
|---|---|
| 28th May 2014 | First advisory published. |
| 29th May 2014 | Corrected version numbers for Client Security in Fix Available. |
| 30th May 2014 | Updated to include Server Security and Protection Service for Business Server Security. |
Date Issued: 2014-05-28
Date Last Updated: 2014-05-30