what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Remote Binary Planting In Multiple F-Secure Products

Remote Binary Planting In Multiple F-Secure Products
Posted Jan 11, 2011
Authored by ACROS Security, Simon Raner | Site acrossecurity.com

ACROS Security Problem Report #2011-01-11-1 - A binary planting vulnerability in F-Secure Internet Security 2010 and 2011, F-Secure Anti-Virus 2010 and 2011 and multiple other F-Secure products allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users.

tags | advisory, remote, local, virus
systems | windows
SHA-256 | 01f52cb96345599ee288a5aaf14347b748cc0327df5569dc06d00aff5958486b

Remote Binary Planting In Multiple F-Secure Products

Change Mirror Download


ACROS Security Problem Report #2011-01-11-1
ASPR #2011-01-11-1: Remote Binary Planting in Multiple F-Secure Products

Document ID: ASPR #2011-01-11-1-PUB
Vendor: F-Secure Corp. (http://www.f-secure.com)
Target: F-Secure Internet Security 2010 and 2011
F-Secure Anti-Virus 2010 and 2011
(and multiple other F-Secure products)
Impact: Remote execution of arbitrary code
Severity: Very high
Status: Official patch available, workarounds available
Discovered by: Simon Raner of ACROS Security

CVSS score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE ID: (unknown)
CWE ID: CWE-426: Untrusted Search Path

Current version


A "binary planting" [1] vulnerability in F-Secure Internet Security 2010
and 2011, F-Secure Anti-Virus 2010 and 2011 and multiple other F-Secure
products allows local or remote (even Internet-based) attackers to deploy
and execute malicious code on Windows machines in the context of logged-on

Product Coverage

- Solutions based on F-Secure Protection Service for Consumers version 9
- Solutions based on F-Secure Protection Service for Business -
Workstation security version 9
- Solutions based on F-Secure Protection Service for Business -
Email and Server Security version 9
- Solutions based on F-Secure Protection Service for Business -
Server Security version 9
- F-Secure Internet Security 2010 and 2011
- F-Secure Anti-Virus 2010 and 2011
- F-Secure Client Security 9.00-9.01
- F-Secure Anti-Virus for Workstations 9.00-9.01
- F-Secure Anti-Virus for Windows Servers 9.00
- F-Secure Anti-Virus for Citrix Servers 9.00


As a result of an incorrect dynamic link library loading in affected
F-Secure products, an attacker can cause her malicious DLL to be loaded
and executed on users' computers from local drives, remote Windows shares,
and even shares located on Internet.

This vulnerability is exploitable through other products that F-Secure
products integrate with, most notably web browsers. One such example is a
combination of Mozilla Firefox and F-Secure Internet Security 2011. When
launched by double-clicking an .HTML file via Windows Explorer (or most
any other popular file manager), Firefox is started with the current
working directory (CWD) set to the folder where this file resides. If F-
Secure Internet Security is installed, Firefox displays its toolbar and
allows the user to view and edit the "Browsing protection" settings. These
get launched by Firefox and inherit its CWD, but they also integrate a
vulnerable 3rd party library QtCore4.dll, which blindly tries to load
wintab32.dll whether this library is present on the system or not. In the
latter case (i.e., on most systems), this DLL is not found in either the
Firefox folder (%PROGRAMFILES%\Mozilla Firefox\) or any one of the Windows
system folders as specified by the search path, and is then looked for in
the CWD. If found there, wintab32.dll (planted by the attacker) is loaded
and executed.

(Note that Firefox is doing nothing wrong here. Its CWD is set
automatically by Windows Explorer upon user's double-clicking the HTML
file, as is the case with any other application.)

All a remote attacker has to do is plant a malicious DLL with a specific
name (wintab32.dll) on a network share and get the user to open any .HTML
file with Firefox from this network location - which should require
minimal social engineering.

Windows systems by default have the Web Client service running - which
makes remote network shares accessible via WebDAV -, thus the malicious
DLL can also be deployed from an Internet-based network share as long as
the intermediate firewalls allow outbound HTTP traffic to the Internet.

A systematic attack could deploy malicious code to a large number of
Windows workstations in a short period of time, possibly as an Internet

Visit http://www.binaryplanting.com/ for more information on binary
planting vulnerabilities and attacks.

Mitigating Factors

- A firewall blocking outbound WebDAV traffic (in addition to blocking all
Windows Networking protocols) could stop an Internet-based attack.

- Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based
exploitation of this vulnerability.


F-Secure has issued a security bulletin [3] and published an update for
all affected products that fixes this issue.


- Stopping the Web Client service could stop Internet-based attacks as
long as the network firewall stops outbound Microsoft Networking
protocols. This would not, however, stop remote LAN-based attacks where
the attacker is able to place a malicious DLL on a network share inside
the target (e.g., corporate) network.

- General recommendations for limiting or stopping binary planting attacks
are available at

Related Services

ACROS is offering professional consulting on this issue to interested
corporate and government customers. Typical questions we can help you
answer are:

1) To what extent is your organization affected by this issue?

2) Is it possible to get remote code from the Internet launched inside
your network? Can this be demonstrated?

3) Have you adequately applied the remedies to remove the vulnerability?

4) Are there circumstances in your environment that might prevent the
effectiveness of this fix?

5) Are there other workarounds that you could implement to fix this issue
more efficiently and/or inexpensively?

6) Are your systems or applications vulnerable to other similar issues?

Interested parties are encouraged to ask for more information at


ACROS Security has performed an extensive Binary Planting research
project, focused on various types of vulnerabilities where an attacker
with low privileges can place (i.e., "plant") a malicious executable file
(i.e., "binary") to some possibly remote location and get it launched by
some vulnerable application running on user's computer.

The research found that binary planting vulnerabilities are affecting a
large percentage of Windows applications and often allowing for trivial
exploitation: it identified ~520 remotely exploitable bugs in ~200 widely-
used Windows applications. A large majority of these vulnerabilties
remain unfixed and publicly unknown at the time of this writing.

Find out more:
- http://www.binaryplanting.com
- http://blog.acrossecurity.com

Follow ACROS Security on Twitter to get immediate updates on the ongoing
Binary Planting research and other research projects.


[1] Binary Planting - The Official Web Site

[2] Microsoft's CWDIllegalInDllSearch hotfix

[3] Security Advisory FSC-2010-4 - Binary planting vulnerability


ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories


The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.

Revision History

January 11, 2011: Initial release


(c) 2011 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By