Anti-virus software vendor F-Secure has been caught out by a critical security hole in its own software.
The company issued a patch for a wide range of its products last week after a security researcher in Luxembourg reported vulnerabilities to the company.
A flaw in the way F-Secure software handled ZIP and RAR format data compression archives could allow an attacker to execute remote code on users' systems and bypass F-Secure's anti-virus-scanning capabilities, according to Thierry Zoller, the security engineer and penetration tester who reported the vulnerability to F-Secure.
F-Secure customers received an automated hot fix the same time as the company published the vulnerability, said David Frazer, senior project manager for F-Secure. "There was no user interaction required," Frazer said.
"Millions" of F-Secure customers used the software affected by the flaws, Frazer said. "As far as we know, the vulnerability has not been exploited," he said. "When you have a vulnerability of a critical nature, you want to get a hot fix out before somebody has a chance to exploit it."
The vast majority of F-Secure's anti-virus product line was affected by the vulnerability, Frazer said. Anti-virus scanners for Linux, Samba and firewalls were also affected.
Zoller, on his blog, praised F-Secure for publicly fixing the vulnerability. "I found multiple vulnerabilities within various [anti-virus] Engines, F-Secure are the first to actually publish a real advisory, others fixed the bugs silently or put a small notice in a change_log," he wrote.
Zoller said he will wait to publish details of the vulnerability. "There are too many engines vulnerable and I am going to wait until most of them have patched the flaws until I exactly disclose my findings," he wrote.