HOME >> IT Security >> Vulnerabilities >> Security Alert for Vulnerability in the Ichitaro Series
Security Alert for Vulnerability in the Ichitaro Series
Published: April 12, 2010
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a security alert concerning security vulnerability in the Ichitaro Series on April 12, 2010.
This vulnerability causes arbitrary code to be executed when the user of an affected system views a maliciously crafted document file via web browsers or e-mail. If exploited, the affected computer may become under the control of an attacker, where the attacker could execute arbitrary commands with administrator privileges installing malicious programs or altering and deleting data.
To fix this vulnerability, update the software to the fixed version provided by the product developer.
1.Overview
The Ichitaro series developed by JustSystems Corporation is a Japanese word-processing software. It is widely used in Japan domestically as one of the software options to create word documents.
The Ichitaro series is vulnerable to arbitrary code execution due to a flaw in reading in document files. If exploited, an attacker could execute arbitrary code on the computer installed with the Ichitaro series.
For detailed information, refer to the following URL:
http://www.justsystems.com/jp/info/js10001.html (Japanese)
For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000015
IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product developer on April 12, 2010, and released it today.
2.Impact
An attacker could execute arbitrary commands, installing malicious programs or altering and deleting data, when the user on an affected systen views a maliciously crafted document file via web browsers or e-mail. Especially when viewing such a document in web browser, depending on the settings and the kind of web browser, there is the possibility that harm may be done by simply accessing a malicious URL even without opening the document file after downloading it.As a result, the computer may be compromised and become under the control of the attacker.
3.Solution
To fix this vulnerability, update the software to the fixed version provided by the product developer.
4.CVSS Severity
(1)Evaluation Result
| Severity Rating (CVSS base score) |
□ Low (0.0~3.9) |
□ Medium (4.0~6.9) |
■ High (7.0~10.0) |
|---|---|---|---|
| CVSS base score | 9.3 |
(2) Base Score Metrics
| AV:Access Vector | □ Local | □ Adjacent Network |
■ Network |
|---|---|---|---|
| AC:Access Complexity | □ High | ■ Medium | □ Low |
| Au:Authentication | □ Multiple | □ Single | ■ None |
| C:Confidentiality Impact | □ None | □ Partial | ■ Complete |
| I:Integrity Impact | □ None | □ Partial | ■ Complete |
| A:Availability Impact | □ None | □ Partial | ■ Complete |
■:Selected Values
5.CWE Type
This vulnerability has been CWE classified as “No Mapping” (CWE-noinfo)”.
Contact
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 