JVN#35928117: Protection mechanism failure in RevoWorks

RevoWorks SCVX and RevoWorks Browser provided by J’s Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client’s local environment.
In the products, file exchange between the sandboxed environment and local environment is prohibited in principle, but by using the optional “VirusChecker” or “ThreatChecker” feature and changing the policy settings, files checked for viruses by these features in the sandboxed environment can be permitted to be downloaded to the local environment.

However, there is a vulnerability (CWE-693) in the products where malware detection is failed when data containing malware is saved in a specific file format (eml, dmg, vhd, iso, msi) in the sandboxed environment

Impact

If data containing malware is saved in a specific file format, malware may be taken outside the sandboxed environment.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer addressed the vulnerability in the following versions:

• RevoWorks SCVX scvimage4.10.21_1013

• RevoWorks Browser 2.2.95
  Apply the workaround
  Applying the following workaround may avoid the impact of this vulnerability.

• Do not use “VirusChecker” and “ThreatChecker” features

Products Affected

• RevoWorks SCVX prior to scvimage4.10.21_1013
• RevoWorks Browser prior to 2.2.95
  Note that the products are affected by this vulnerability only when VirusChecker or ThreatChecker feature is being used.