Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Multiple JustSystems Products

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Multiple JustSystems Products

Published: May 8, 2012
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a security alert concerning security vulnerability in JustSystems products on April 24, 2012. To fix this vulnerability, update the software to the latest version.

1.Overview

Multiple products from JustSystems, such as Japanese word processor 的chitaro� series and email software 鉄huriken�, have buffer overflow vulnerability when reading image files which could allow an attacker to execute arbitrary code on the target system.

Get the fixed version at the following URL and update the software.
http://www.justsystems.com/jp/info/js12001.html (Japanese)
For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2012-000035

IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product vendor on February 15, 2012, and released on April 24.

2.Impact

An attacker could destroy the system or infect it with viruses and bots when a user views malicious document files in web browser or opens malicious image files via email.

Security Alert for Vulnerability in Ichitaro Series

3.Solution

To fix this vulnerability, update the software to the latest version provided by the product vender.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
■Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score  
6.8

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "Numeric Errors (CWE-189)"

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: