Information from Yasutaka ATARASHI
Vulnerability ID:JVN#79301396
Title:Susie plug-in "axpdfium" may insecurely load Dynamic Link Libraries
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
## Overview
axpdfium.spi v0.01 has a vulnerability to load unintended DLLs.
If an attacker uses this vulnerability, arbitrary codes can be executed by access rights of the application to load this plugin.
## Affected version
axpdfium v0.01 (2015/01/15)
## How to confirm version
It is possible to check the version of the plugin to show "Configuration" or "About" of Susie plugins by applications using Susie plugins. Please see application documents for detail procedures.
Tentatively renaming extension of axpdfium.spi to .dll, then it is also possible to check the version to show proprety by Explorer (or some other applications to explore file system). It is shown as product version in detail tab.
## Impact
When this plugin is loaded, it is possible to load a specific DLL from a specific folder.
If an attacker places a crafted DLL, arbitrary codes can be executed
by access rights of the application to load this plugin.
## Solution
Please update to axpdifum v0.02(2018/05/15) or after.
You can just overwrite it because there is no configuration file.
