Published:2009/09/02  Last Updated:2010/03/23

ATOK screen lock bypass vulnerability


ATOK from JustSystems Corporation contains a screen lock bypass vulnerability.

Products Affected

  • ATOK for Windows
  • ATOK Smile
For more information, refer to the vendor's website.


ATOK from JustSystems Corporation is a software for Japanese Kana-Kanji conversion. ATOK contains an issue with the restriction of launching external applications, which may lead to a screen lock bypass vulnerability.


An attacker could execute arbitrary code or program with the privileges of the LocalSystem account.


Update the Software
Apply the applicable update according to the information provided by JustSystems.

Vendor Status

Vendor Status Last Update Vendor Notes
JustSystems Corporation Vulnerable 2009/09/02


  1. IPA
    Security Alert for Vulnerability in ATOK

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.09.02

Measures Conditions Severity
Access Required Local - requires you to login into the box to a shell or remote desktop
  • Medium
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Medium-High

Description of each analysis measures


Taku Kudo of Google Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2009-4738
JVN iPedia JVNDB-2009-000057

Update History