JVNDB-2017-000223

Install program and Installer of i-filter 6.0 may insecurely load Dynamic Link Libraries and invoke executable files

i-filter 6.0 provided by Digital Arts Inc. is web filtering and parental control software. The install program is designed to download the installer via the internet and execute it. The i-filter 6.0 install program and installer contain the following vulnerabilities.

Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Digital Arts Inc.

• i-filter 6.0 install program" file version 1.0.8.1 and earlier
• i-filter 6.0 installer" timestamp of code signing is before 23 Aug 2017 (JST)

Arbitrary code may be executed with the privilege of the user running the install program or the installer.

[Use the latest install program or installer]
Use the latest install prgram or installer according to the information provided by the developer.
Note that the vulnerabilities affect the install program and the installer only, thus users who have already installed i-filter 6.0 do not need to re-install the software.

Digital Arts Inc.

• Digital Arts Inc. : Digital Arts Inc. website (in Japanese)

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2017-10858
2. CVE-2017-10859
3. CVE-2017-10860

1. JVN : JVN#75929834
2. JVN : JVNTA#91240916
3. National Vulnerability Database (NVD) : CVE-2017-10858
4. National Vulnerability Database (NVD) : CVE-2017-10859
5. National Vulnerability Database (NVD) : CVE-2017-10860

• [2017/09/29]
    Web page was published