HOME >> IT Security >> Vulnerabilities >> Security Alert for Vulnerability in the Ichitaro Series
Security Alert for Vulnerability in the Ichitaro Series
Published: Jun 1, 2010
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a security alert concerning security vulnerability in the Ichitaro Series on June 1, 2010.
This vulnerability causes arbitrary code to be executed when the user of an affected system views a maliciously crafted document file via web browser or e-mail. If exploited, the affected computer may fall under the control of an attacker, where the attacker could execute arbitrary commands with administrator privileges, installing malicious programs or altering and deleting data.
To fix this vulnerability, update the software to the fixed version provided by the product developer.
1.Overview
The Ichitaro series developed by JustSystems Corporation is a Japanese word-processing software. It is widely used in Japan domestically as one of the document composition software.
The Ichitaro series is vulnerable to arbitrary code execution due to a flaw in the process of reading in document files. If exploited, an attacker could execute arbitrary code on the computer installed with the Ichitaro series.
For detailed information, refer to the following URL:
http://www.justsystems.com/jp/info/js10002.html (Japanese)
For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000024
IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product developer on June 1, 2010, and released it today.
2.Impact
An attacker could execute arbitrary commands, installing malicious programs or altering and deleting data, when the user of an affected system views a maliciously crafted document file via web browser or e-mail.Especially when viewing such a document in web browser, depending on the settings and the kind of web browser, there is the possibility that harm may be done by simply accessing a malicious URL even without opening the document file after downloading it.As a result, the computer may be compromised and fall under the control of the attacker.
3.Solution
To fix this vulnerability, update the software to the fixed version provided by the product developer.
4.CVSS Severity
(1)Evaluation Result
| Severity Rating (CVSS base score) |
□ Low (0.0~3.9) |
□ Medium (4.0~6.9) |
■ High (7.0~10.0) |
|---|---|---|---|
| CVSS base score | 9.3 |
(2) Base Score Metrics
| AV:Access Vector | □ Local | □ Adjacent Network |
■ Network |
|---|---|---|---|
| AC:Access Complexity | □ High | ■ Medium | □ Low |
| Au:Authentication | □ Multiple | □ Single | ■ None |
| C:Confidentiality Impact | □ None | □ Partial | ■ Complete |
| I:Integrity Impact | □ None | □ Partial | ■ Complete |
| A:Availability Impact | □ None | □ Partial | ■ Complete |
■:Selected Values
5.CWE Type
This vulnerability has been CWE classified as “No Mapping” (CWE-noinfo)”.
Contact
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 