LoadLibrary function in Microsoft Windows fails to validate input properly


The LoadLibrary function in Microsoft Windows fails to validate input properly. As a result, it may load a specially crafted DLL file (CWE-114).

Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 7.6 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

Microsoft Corporation
  • Microsoft Windows


An arbitrary code may be executed as a result of an application loads a specially crafted DLL file.

[Update the Software]
This issue was addressed in MS15-063, released on June 10. 2015. Apply the update according to the information provided by Microsoft.
Vendor Information

Microsoft Corporation
  • Microsoft Security Bulletin : MS15-063
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-1758

  1. JVN : JVN#18146081
  2. IPA SECURITY ALERTS : Security Alert for Vulnerability in Microsoft Windows (June 2015)(JVN#18146081) (in Japanese)
  3. JPCERT REPORT : JPCERT-AT-2015-0016
  4. @Police : For Microsoft security fix (MS15-056,057,059,060,061,062,063,064)(2015/06/10) (in Japanese)
Revision History

  • [2015/06/12]
      Web page was published