ISS X-Force Database: justsystems-jstar04-bo(38130): JustSystems Ichitaro JSTARO4.OCX buffer overflow

JustSystems Ichitaro JSTARO4.OCX buffer overflow

justsystems-jstar04-bo (38130)

High Risk

Description:

JustSystems Ichitaro is vulnerable to multiple stack-based buffer overflows, caused by improper bounds checking by the JSTARO4.OCX object. By persuading a victim to open a specially-crafted Word document using a plug-in browser, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

Platforms Affected:

JustSystems, Ichitaro 11
JustSystems, Ichitaro 12
JustSystems, Ichitaro 13
JustSystems, Ichitaro 2004
JustSystems, Ichitaro 2005
JustSystems, Ichitaro 2006
JustSystems, Ichitaro 2007
JustSystems, Ichitaro for Linux
JustSystems, Ichitaro Lite2
JustSystems, Ichitaro viewer 4.x

Remedy:

Refer to the JUSTSYSTEMS Web site for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Access

References:

FFRRA-20071025-1, 2007 JSTARO4.OCX at http://www.fourteenforty.jp/research/advisory.cgi?FFRRA-20071025-1.
FFRRA-20071025-2, 2007 JSTARO4.OCX at http://www.fourteenforty.jp/research/advisory.cgi?FFRRA-20071025-2.
JUSTSYSTEMS Web site, Ichitaro security renewal module at http://www.justsystems.com/jp/info/pd7004.html. (Web site is inJapanese)
BID-26206: JustSystem Ichitaro JSTARO4.OCX and TJSVDA.DLL Multiple Buffer Overflow Vulnerabilities
CVE-2007-5687: Multiple buffer overflows in the rich text processing functionality in JustSystems Ichitaro 2004 through 2007, 11 through 13, and other versions allow remote attackers to execute arbitrary code via a long (1) pard field or (2) font name in the fcharset0 field, which is not properly handled in (a) JSTARO4.OCX; or (3) a long title, which is not properly handled by (b) TJSVDA.DLL.
SA27393: JustSystems Ichitaro Document Processing Multiple Buffer Overflows
VUPEN/ADV-2007-3623: JustSystems Ichitaro Document Handling Buffer Overflow Vulnerabilities

Reported:

Oct 25, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page