Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in the Ichitaro Series

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in the Ichitaro Series

Published: April 12, 2010
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a security alert concerning security vulnerability in the Ichitaro Series on April 12, 2010.
This vulnerability causes arbitrary code to be executed when the user of an affected system views a maliciously crafted document file via web browsers or e-mail. If exploited, the affected computer may become under the control of an attacker, where the attacker could execute arbitrary commands with administrator privileges installing malicious programs or altering and deleting data.

To fix this vulnerability, update the software to the fixed version provided by the product developer.

1.Overview

The Ichitaro series developed by JustSystems Corporation is a Japanese word-processing software. It is widely used in Japan domestically as one of the software options to create word documents.

The Ichitaro series is vulnerable to arbitrary code execution due to a flaw in reading in document files. If exploited, an attacker could execute arbitrary code on the computer installed with the Ichitaro series.

For detailed information, refer to the following URL:
http://www.justsystems.com/jp/info/js10001.html (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000015

IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product developer on April 12, 2010, and released it today.

2.Impact

An attacker could execute arbitrary commands, installing malicious programs or altering and deleting data, when the user on an affected systen views a maliciously crafted document file via web browsers or e-mail. Especially when viewing such a document in web browser, depending on the settings and the kind of web browser, there is the possibility that harm may be done by simply accessing a malicious URL even without opening the document file after downloading it.As a result, the computer may be compromised and become under the control of the attacker.

Security Alert for Vulnerability in OpenPNE

3.Solution

To fix this vulnerability, update the software to the fixed version provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
□ Medium
(4.0~6.9)
■ High
(7.0~10.0)
CVSS base score    
9.3

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None □ Partial ■ Complete
I:Integrity Impact □ None □ Partial ■ Complete
A:Availability Impact □ None □ Partial ■ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "No Mapping (CWE-noinfo)".

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: