Published: Jun 29, 2011
>> JAPANESE

1.Overview

Alzip is developed by ESTsoft Japan Corp. and is a software that compresses data and minimizes the file size of the data to store and decompress them when needed (a data compression/decompression software). ALZip supports the file formats such as lzh, zip and mim.

ALZip is vulnerable to buffer overflow due to a flaw in a way it processes mim files. If exploited, an attacker could execute arbitrary code on the affected system.

Get the fixed version at the following URL and reinstall it:
http://www.altools.jp/download/alzip.aspx (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000048

In line with the Information Security Early Warning Partnership, the IPA received a report concerning this vulnerability through the creditee below, and the JPCERT Coordination Center (JPCERT/CC) made adjustments to clarify the matter with the product developer and made it public on June 29, 2011.

Credit:

Takahiko Funakubo,

ForteenForty Research Institute Inc. (Reported: April 14, 2011)

2.Impact

An attacker could execute arbitrary code.

3.Solution

To fix this vulnerability, reinstall the fixed version of the software.

4.CVSS Severity

(1)Evaluation Result

Severity Rating (CVSS base score)	□ Low (0.0~3.9)	■Medium (4.0~6.9)	□ High (7.0~10.0)
CVSS base score		6.8

(2) Base Score Metrics

AV:Access Vector	□ Local	□ Adjacent 　Network	■ Network
AC:Access Complexity	□ High	■ Medium	□ Low
Au:Authentication	□ Multiple	□ Single	■ None
C:Confidentiality Impact	□ None	■ Partial	□ Complete
I:Integrity Impact	□ None	■ Partial	□ Complete
A:Availability Impact	□ None	■ Partial	□ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Buffer Errors” (CWE-Buffer Errors)”

Contact