JVN#47875752
GungHo LoadPrgAx vulnerable to arbitrary Java program execution
Overview
LoadPrgAx ActiveX control from GungHo Online Entertainment, Inc. contains a vulnerability that allows an attacker to execute an arbitrary Java program.
Products Affected
- LoadPrgAx version 1,0,0,6 and earlier
Description
LoadPrgAx from GungHo Online Entertainment, Inc. is an ActiveX control that runs games provided by the company. LoadPrgAx contains a vulnerability that allows an attacker to execute an arbitrary Java program that resides on a user's PC.
Impact
If a user views a specially crafted HTML document (web pages or HTML email), an arbitrary Java program on the user's PC could be executed.
Solution
Update the Software
Update to the latest version provided by the vendor.
Vendor Status
| Vendor | Link |
| GungHo Online Entertainment, Inc. |
Security update for ActiveX control (program) |
References
JPCERT/CC Addendum
LoadPrgAx version 1,0,0,7, which addresses this vulnerability has been distributed by the vendor since November 5, 2008.Vulnerability Analysis by JPCERT/CC
Analyzed on 2008.11.17
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2008-5495 |
| JVN iPedia |
JVNDB-2008-000077 |