n the world of IT, many vendors publish software sprinkled with bugsand potential security holes. It is very difficult (some would arguenext to impossible) and extremely costly to create totally bug- andvulnerability-free software. So software vendors usually aim for abalance between acceptable quality versus cost. Of course that meanssome software contains bugs and vulnerabilities just waiting to beuncovered. In the majority of cases, the vendors and their softwarenever come to the attention of malware creators, either because nobodybothered to look or a "trailblazer" vulnerability has yet to bediscovered.
For a few unlucky vendors who have had exploitable vulnerabilitiesexposed, they begin to appear on the radar of malware creators who,like vultures to a wounded desert animal, dive in on the software,attacking it from all angles, frantically trying to sink their clawsinto more tasty vulnerabilities.
Such is the case with JustSystems' Ichitaro, a Japanese wordprocessing application. Ever since we first came across an exploitablevulnerability in the software back in August 2006,we have seen a steady flow of new exploits for vulnerabilities in thedifferent versions of the software. No doubt this flow of newvulnerabilities stems from a focused, sustained attack upon, andresearch into, the weaknesses of the software.
So in continuation of the theme, Symantec received samples of an Ichitaro document today (detected as Trojan.Tarodrop.F)that exploits a previously unknown vulnerability in Ichitaro productversions 2005, 2006, and 2007. The exploit causes a stack overflow inthe application (JustSystem Ichitaro JSGCI.DLL Unspecified Stack Buffer Overflow Vulnerability)and then seizes execution control to drop a Backdoor.Trojan onto thecompromised computer. There is nothing particularly remarkable aboutthis exploit when compared to previous vulnerabilities discovered inIchitaro, but it does serve to underline the trailblazer effect, andfor that reason we shouldn’t be surprised to see furthervulnerabilities exposed in the future.
We are not currently aware of any patches available to fix thisissue, so until JustSystems releases a patch, we would advise allIchitaro users to treat unsolicited .jtd files with extreme caution.
Update Dec 14, 2007:
We have just confirmed that JustSystems has published a patch for thisvulnerability. Hats off to JustSystems for getting a patch out for thisproblem so quickly. Users of the affected products can download theappropriate patch from here.