Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in ALZip

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in ALZip

Published: Jun 29, 2011
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a security alert concerning security vulnerability in ALZip on June 29, 2011. To fix this vulnerability, reinstall the fixed version of ALZip provided by the Product vendor.

1.Overview

Alzip is developed by ESTsoft Japan Corp. and is a software that compresses data and minimizes the file size of the data to store and decompress them when needed (a data compression/decompression software). ALZip supports the file formats such as lzh, zip and mim.

ALZip is vulnerable to buffer overflow due to a flaw in a way it processes mim files. If exploited, an attacker could execute arbitrary code on the affected system.

Get the fixed version at the following URL and reinstall it:
http://www.altools.jp/download/alzip.aspx (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000048

In line with the Information Security Early Warning Partnership, the IPA received a report concerning this vulnerability through the creditee below, and the JPCERT Coordination Center (JPCERT/CC) made adjustments to clarify the matter with the product developer and made it public on June 29, 2011.

Credit: Takahiko Funakubo, ForteenForty Research Institute Inc.
(Reported: April 14, 2011)

2.Impact

An attacker could execute arbitrary code.

Security Alert for Vulnerability in Ichitaro Series

3.Solution

To fix this vulnerability, reinstall the fixed version of the software.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score  
6.8

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "Buffer Errors (CWE-Buffer Errors)"

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: