Published:2017/07/07  Last Updated:2017/07/07

JVN#21627267
Microsoft IME may insecurely load Dynamic Link Libraries

Overview

Microsoft IME may insecurely load Dynamic Link Libraries.

Products Affected

  • Microsoft IME

Description

Microsoft IME, bundled with Microsoft Windows, contains an issue in loading DLLs.
When some application programs are invoked, they may initiate Microsoft IME. This IME, when initiated, checks a certain registry key for a file path to a DLL file and loads it.
This registry key does not exist by default, and can be created by a normal user.
If an application program is invoked with some high privilege, this mechanism can be leveraged for privilege escalation attacks

Impact

Arbitrary code may be executed with the execution privilege of the application program which initiated Microsoft IME.
This can occur when a user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder and enter in the registry key the specific folder location.

Solution

Update the Software
Apply the Windows Updates according to the information provided by Microsoft.
This issue is addressed in MS16-130 released on November 8th, 2016.

Vendor Status

Vendor Status Last Update Vendor Notes
Microsoft Japan Co.,Ltd. Vulnerable 2017/07/07

References

  1. Japan Vulnerability Notes JVNTA#91240916
    Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P
Base Score: 5.1
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-7221
JVN iPedia JVNDB-2016-005802