JVN#16817324: Multiple JustSystems products vulnerable to arbitrary code execution

Overview

Multiple products provided by JustSystems Corporation contain a vulnerability that may allow arbitrary code execution.

Products Affected

A wide range of products are affected.
For more information, refer to the information provided by the developer.

Description

Multiple products provided by JustSystems Corporation contain a vulnerability that may allow arbitrary code execution.
For more information, refer to the information provided by the developer.

Impact

Opening a file may cause arbitrary code to be executed with the privilege of the running application.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
JustSystems Corporation	[JS13001] Vulnerability in Ichitaro/Hanako may allow arbitrary code execution (Japanese Only)

References

IPA
Security Alert for Vulnerability in Multiple JustSystems Products(in Japanese)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2013.02.26

Measures	Conditions	Severity
Access Required	can be attacked over the Internet using packets	High
Authentication	anonymous or no authentication (IP addresses do not count)	High
User Interaction Required	the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file	Mid
Exploit Complexity	some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)	Mid-High

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2013-0707
JVN iPedia	JVNDB-2013-000015

Update History

2013/03/07: Information under the section "References" was updated.

JVN#16817324 Multiple JustSystems products vulnerable to arbitrary code execution