[Japanese]

JVNDB-2016-000123

LINE for Windows may insecurely load Dynamic Link Libraries

Overview

LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.

Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


LINE Corporation
  • LINE for Windows ver 4.7.0 and earlier
  • LINE Installer for Windows ver 4.7.0 and earlier

[Added on August 19, 2016]
Note that LINE Installer for Windows (ver 4.8.0) did not address the vulnerability completely. Newer versions have been released.
Impact

Arbitrary code may be executed with the privileges of the running application.
Solution

[Update the Software]
For cuurent users of LINE for Windows, the application will automatically update to the latest version provided by the developer.
For users that will be installing LINE for Windows, the developer has provided an updated version of the installer, please use this version of the installer.
Vendor Information

LINE Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-4831
References

  1. JVN : JVN#51565015
  2. National Vulnerability Database (NVD) : CVE-2016-4831
Revision History

  • [2016/07/08]
      Web page was published
    [2016/08/03]
      References : Content was added
    [2016/08/19]
      Affected Products : Content was added

Date Public2016/07/08
Date First Published2016/07/08
Date Last Updated2016/08/19