[Japanese]

JVNDB-2012-000089

ATOK for Android issue in the access permissions for the learning information file

Overview

ATOK for Android provided by JUST Systems, contains an issue in the access permissions for the learning information file.

ATOK for Android provided by JUST Systems contains an issue where another application may access the learning information file which stores user input strings.

Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this information to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


JustSystems Corporation
  • ATOK for Android versions prior to 1.0.4

According to the developer, version information can be obtained through the following steps.

[Steps for checking version number]
By long touch "A1" at a screen where text can be entered,
open ATOK Menu -> tap ATOK Settings.
Check the version number towards the bottom.

Japanese text entering system ATOK
Ver.1.X.X <- this number is the version number
(C)2012 JUST Systems

* This issue is addressed in versions after Ver.1.0.4
Impact

If a user of the affected product uses other malicious Android application, the learning information file may be obtained.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

JustSystems Corporation
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-4016
References

  1. JVN : JVN#93344001
  2. National Vulnerability Database (NVD) : CVE-2012-4016
Revision History

  • [2012/09/25]
      Web page was published

Date Public2012/09/25
Date First Published2012/09/25
Date Last Updated2012/09/25