Published:2021/09/10  Last Updated:2021/09/10

JVN#81658818
Multiple vulnerabilities in RevoWorks Browser

Overview

RevoWorks Browser provided by J’s Communication Co., Ltd. contains multiple vulnerabilities.

Products Affected

  • RevoWorks Browser 2.1.230 and earlier
According to the developer, RevoWorks Browser 2.0.x is not affected by these vulnerabilities.

Description

RevoWorks Browser provided by J’s Communication Co., Ltd. is a virtual browser which enables internet isolation.
It provides the function that enables access to drives, folders, files, and registries under the isolated environment from the local environment when running the web browser.
RevoWorks Browser contains multiple vulnerabilities listed below due to the improper control of access and program execution between the local environment and the isolated environment.

  • Improper control of Program execution (CWE-114) - CVE-2021-20790
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Base Score: 8.6
    CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8
  • Improper access control (CWE-284) - CVE-2021-20791
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Base Score: 5.2
    CVSS v2 AV:L/AC:L/Au:S/C:P/I:P/A:N Base Score: 3.2

Impact

  • An arbitrary command or code may be executed on the web browser of the user which is running under the isolated environment - CVE-2021-20790
  • Unauthorized files may be exchnaged between the local environment and the isolated environment or settings of the web browser may be altered - CVE-2021-20791

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released RevoWorks Browser 2.2.50 that addresses the vulnerabilities.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

J’s Communication Co., Ltd. reported these vulnerabilities to IPA to notify users of the solution through JVN. JPCERT/CC and J’s Communication Co., Ltd. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20790
CVE-2021-20791
JVN iPedia JVNDB-2021-000074