JVN#18420340
Multiple vulnerabilities in BOOK WALKER for Windows/Mac

Overview

BOOK WALKER for Windows/Mac provided by BOOK WALKER Co.,Ltd. contain multiple vulnerabilities.

Products Affected

・CVE-2017-10887
  BOOK WALKER for Windows Ver.1.2.9 and earlier

・CVE-2017-10888
  BOOK WALKER for Windows Ver.1.2.9 and earlier
  BOOK WALKER for Mac Ver.1.2.5 and earlier

Description

BOOK WALKER for Windows/Mac provided by BOOK WALKER Co.,Ltd. are applications to view e-books.  Installer of BOOK WALKER for Windows contains a vulnerabirity, which may lead to insecurely loading Dynamic Link Libraries.
Also BOOK WALKER for Windows/Mac contain a vulnerability which may lead to information disclosure as a result of reading a specially crafted file.

• DLL preloading vulnerability (CWE-427) - CVE-2017-10887

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	Base Score: 7.8
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

• Information disclosure vulnerability (CWE-200) - CVE-2017-10888

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	Base Score: 5.5
  CVSS v2	AV:N/AC:M/Au:N/C:C/I:N/A:N	Base Score: 7.1

Impact

• Arbitrary code may be executed with the privilege of the user invoking the installer. - CVE-2017-10887
• An arbitrary local file may be read by an attacker, which may result in information disclosure. - CVE-2017-10888

Solution

Solution for CVE-2017-10887:
Use the latest installer
When installing BOOK WALKER for Windows for the first time, be sure to use the latest installer according to the information provided by the developer.

Solution for CVE-2017-10888:
Update the software
Update to the latest version according to the information provided by the developer.