Endpoint Security

Researchers Find Flaws in Japanese Word Processor Ichitaro

JustSystems, Maker of Ichitaro, Says No Attacks Have Been Spotted
Researchers Find Flaws in Japanese Word Processor Ichitaro
Image: Shutterstock

Security researchers uncovered vulnerabilities in a word processing application used primarily in Japan, warning that malicious documents could let hackers seize control.

See Also: Webinar | Navigating “Shift-left” in Container Security

Cisco Talos on Wednesday reported it had identified four arbitrary code execution flaws in the Ichitaro word processor. The word processor maker, JustSystems, said it has not confirmed any attacks exploiting the vulnerabilities and has issued fixes for the flaws.

Once dominant in the Japanese market, Ichitaro ceded considerable market share to the Microsoft Office suite of programs during the 1990s but is still commonly described as the country's second-most-used word processing application. It uses a .jtd format, which Fortinet describes as an Object Linking and Embedding format.

Talos says CVE-2022-43664 can trigger the reuse of freed memory by the attacker -ultimately resulting in arbitrary code execution - while CVE-2023-22660 gets to arbitrary code execution through a bugger overflow condition.

The two other vulnerabilities, CVE-2023-22291 and CVE-2022-45115, are memory corruption vulnerabilities.

JustSystems said the flaws affected the 2021, 2022 and 2023 versions of Ichitaro along with the Ichitaro 2022 Trial Version and Ichitaro Viewer, and enabled an attacker to crash the application.

Japan's Computer Emergency Response Team said the vulnerabilities also affected additional JustSystems products.

Ichitaro has gone through security incidents in the past, including in 2013, when attackers, possibly of Chinese state origin, exploited a zero-day vulnerability.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.