Published:2012/04/24 Last Updated:2012/04/24
JVN#95378720
Multiple JustSystems products may insecurely load dynamic libraries
Overview
Multiple JustSystems products may use unsafe methods for determining how to load DLL's.
Products Affected
- Ichitaro 2011 Sou
- Ichitaro 2011/2010/2009/2008/2007/2006
- Ichitaro Government 2010/2009/2008/2007/2006
- Ichitaro Portable with oreplug
- Ichitaro Viewer
- JUST School 2010/2009
- JUST School
- JUST Jump 4
- JUST Frontier
- oreplug
Description
Multiple JustSystems products contain an issue with the DLL search path, which may lead to insecurely loading dynamic libraries.
Impact
Arbitrary code may be executed with the privileges of the running application.
Solution
Update the software
Apply the appropriate update according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| JustSystems Corporation | [JS12001] Vulnerability in Ichitaro/Shuriken may allow arbitrary code execution (Japanese Only) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2012.04.24
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Naoto Katsumi of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2012-1242 |
| JVN iPedia |
JVNDB-2012-000034 |