Published: Oct 12, 2010
Information-technology Promotion Agency (IPA, Chairman Kazumasa Fujie) announced a security alert on October 12, 2010, concerning security vulnerability in Lhasa.
This vulnerability allows an attacker to execute arbitrary code when a user expands a compressed file stored in a particular folder.If exploited, a computer may become under the control of an attacker with malicious intent by being forced to execute unintended programs.
To fix this vulnerability, update to the fixed version supplied by the vendor.
Lhasa is a file decompression software and supports the data compression format lzh and zip to name a few. Lhasa is vulnerable to a flaw in the way it loads executable files. If exploited, there is a possibility that arbitrary code may be executed on the computers installed with Lhasa.
To get a fixed version, go to the following URL:
For the latest information, refer to the following URL:
The IPA first received a report concerning this vulnerability through the creditee below and the JPCERTCoordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor, and made the announcement public on October 12, 2010.
|Credit||:||Makoto Shiotsuki||(Reported: September 13, 2010)|
Involuntary operations may occur, such as the execution of unintended programs, the deletion of files, and the installation of malicious tools like viruses and bots when a user is guided to a shared folder, for example, on a file server and opens a compressed file there.
To fix this vulnerability, update to the fixed version provided by the vendor.
(CVSS base score)
|CVSS base score||
|AV:Access Vector||□ Local||□ Adjacent
|AC:Access Complexity||□ High||■ Medium||□ Low|
|Au:Authentication||□ Multiple||□ Single||■ None|
|C:Confidentiality Impact||□ None||■ Partial||□ Complete|
|I:Integrity Impact||□ None||■ Partial||□ Complete|
|A:Availability Impact||□ None||■ Partial||□ Complete|
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)