JVN#52691241: Multiple installers of the software provided by Geospatial Information Authority of Japan (GSI) may insecurely load Dynamic Link Libraries

Multiple installers of the software provided by Geospatial Information Authority of Japan (GSI) contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Impact

Arbitrary code may be executed with the privilege of the user invoking the installers.

Solution

Do not use the installers
The developer has stated that the development and support of the software has been discontinued, thus recommends users to stop using the installers.
Users who already have installed the software do not need to re-install the software, because this issue affects the installers only.

Products Affected

The instalers of the following software are affected:

• PatchJGD (PatchJGD101.EXE) ver. 1.0.1 [CVE-2017-2210]
• PatchJGD（Hyoko） (PatchJGDh101.EXE) ver. 1.0.1 [CVE-2017-2211]
• TKY2JGD (TKY2JGD1379.EXE) ver. 1.3.79 [CVE-2017-2212]
• SemiDynaEXE (SemiDynaEXE2008.EXE) ver. 1.0.2 [CVE-2017-2213]