Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in ALZip


IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in ALZip

Published: Jun 29, 2011

Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a security alert concerning security vulnerability in ALZip on June 29, 2011. To fix this vulnerability, reinstall the fixed version of ALZip provided by the Product vendor.


Alzip is developed by ESTsoft Japan Corp. and is a software that compresses data and minimizes the file size of the data to store and decompress them when needed (a data compression/decompression software). ALZip supports the file formats such as lzh, zip and mim.

ALZip is vulnerable to buffer overflow due to a flaw in a way it processes mim files. If exploited, an attacker could execute arbitrary code on the affected system.

Get the fixed version at the following URL and reinstall it: (Japanese)

For the latest information, refer to the following URL:

In line with the Information Security Early Warning Partnership, the IPA received a report concerning this vulnerability through the creditee below, and the JPCERT Coordination Center (JPCERT/CC) made adjustments to clarify the matter with the product developer and made it public on June 29, 2011.

Credit: Takahiko Funakubo, ForteenForty Research Institute Inc.
(Reported: April 14, 2011)


An attacker could execute arbitrary code.

Security Alert for Vulnerability in Ichitaro Series


To fix this vulnerability, reinstall the fixed version of the software.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
□ High
CVSS base score  

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "Buffer Errors (CWE-Buffer Errors)"


IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)