IPA/ISEC：Vulnerabilities：Security Alert for Vulnerability in ATOK

September 2, 2009
>> JAPANESE

1.Overview

“ATOK” is a Japanese input method provided by JustSystems Corporation.

Vulnerability exists in “ATOK”, which allows the screen lock protection on the personal computer to be bypassed.

If this weakness is exploited, there is a possibility that arbitrary commands or programs may be executed.

For detailed information, refer to the following URL:
http://www.justsystems.com/jp/info/js09003.html (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000057

The IPA first received a report concerning this vulnerability through the creditee below on April 23, 2009, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on September 2, 2009.
Credit: Taku Kudo, Google Inc.

2.Impact

In the event an attacker conducts a specific sequence of operations on a screen-locked personal computer, it allows the attacker to bypass the screen lock protection.

As a result, there is a possibility that arbitrary commands or programs may be executed using the authorization of a local system account of that personal computer.

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Permissions, Privileges, and Access Controls (CWE-264)”.

Contact