[Japanese]

JVNDB-2010-000059

Vulnerability in Epson printer driver installer where access permissions are changed

Overview

A vulnerability in printer driver installers provided by Epson cause access permissions to a certain folder on the system to be changed.

When printer drivers provided by Epson are installed, the access permissions for the folder that contains program files (C:\Program Files) are changed. As a result, users that do not have permission to access that folder can gain access to that folder.

According to the developer, printer drivers that were included with the product or downloaded from the developer website from the initial release of May 2010 through November 25, 2010 are affected by this vulnerability.
Also, users of Windows Vista and later operating systems are not affected.
CVSS Severity (What is CVSS?)

Base Metrics: 2.1 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


SEIKO EPSON CORPORATION
  • Driver for LP-S7100 prior to Ver4.1.11 (32-bit and 64-bit)
  • Driver for LP-S9000 prior to Ver4.1.7 (32-bit and 64-bit)

Impact

A user that does not have permission to access the folder may create, modify or delete arbitrary files or folders.
Solution

[Update the software and change the settings]
Apply the update and change the settings, according to the information provided by the developer.
Vendor Information

SEIKO EPSON CORPORATION
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2010-3920
References

  1. JVN : JVN#62736872
  2. National Vulnerability Database (NVD) : CVE-2010-3920
  3. Secunia Advisory : SA42540
  4. OPEN SOURCE VULNERABILITY DATABASE (OSVDB) : 69678
Revision History

[2010/12/08]
  Web page published