JVN#75929834
Install program and Installer of i-フィルター 6.0 may insecurely load Dynamic Link Libraries and invoke executable files

Overview

Install program and Installer of i-フィルター 6.0 may insecurely load Dynamic Link Libraries and invoke executable files.

Products Affected

CVE-2017-10858

• "i-フィルター 6.0 install program" file version 1.0.8.1 and earlier

• "i-フィルター 6.0 installer" timestamp of code signing is before 23 Aug 2017 (JST)

Description

i-フィルター 6.0 provided by Digital Arts Inc. is web filtering and parental control software. The install program is designed to download the installer via the internet and execute it. The i-フィルター 6.0 install program and installer contain the following vulnerabilities.

• Lead to insecurely loading Dynamic Link Libraries (CWE-427) - CVE-2017-10858, CVE-2017-10859

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	Base Score: 7.8
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

• Lead to insecurely invoke an executable file (CWE-427) - CVE-2017-10860

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	Base Score: 7.8
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

Impact

Arbitrary code may be executed with the privilege of the user running the install program or the installer.

Solution

Use the latest install program or installer
Use the latest install prgram or installer according to the information provided by the developer.
Note that the vulnerabilities affect the install program and the installer only, thus users who have already installed i-フィルター 6.0 do not need to re-install the software.