CVE-2017-6466

Name of the Vulnerable Software and Affected Versions F-Secure Software Updater version 2.20

Description The issue allows man-in-the-middle attackers to replace downloaded files with their own executable, which will be executed under the SYSTEM account. This is because the software downloads installation packages over plain http and does not perform file integrity validation after download. In automatic mode, the software checks for digital signatures by default but does not verify the author of the signature. In manual mode, no signature check is performed.

Recommendations For F-Secure Software Updater version 2.20, consider disabling the automatic installation of updates and manually verify the digital signature and its author before installing any updates. As a temporary workaround, restrict the use of the Software Updater until a secure version is available.