14 DAY TRIAL // Several products developed by Corel have been found to be affected by zero-day DLL hijacking bugs that could allow an attacker the possibility to execute arbitrary commands on the computer system running the product.
The advisory comes from vulnerability research firm Core Security, which has discovered that CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, CorelCAD 2014, Corel Painter 2015, Corel PDF Fusion, Corel VideoStudio PRO X7 and Corel FastFlick are affected by the issues.
Malicious DLLs can be used to install malware
“When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document,” the advisory reads.
The risk consists in the fact that a threat actor could send a malicious DLL in a file that is intended to be opened with Corel software. Since DLLs contain executable code, they can be used to install malware on a computer.
Corel has been contacted in regard to the risks revealed by the Core Security findings, but it did not reply, resulting in the decision of the vulnerability research company to make a public disclosure of the DLL hijacking problem affecting the aforementioned products.
No patches are available at the moment
The first attempt to communicate with Corel was made on December 9, 2014, followed by another email on December 17, with a request to confirm receiving the previous message. Then the company was contacted on Twitter in 2015, on January 2, but still no answer was received.
The initial date for disclosing the bugs had been set for January 5, 2015, but Core Security waited until this Tuesday to make things public.
Corel has not yet released any patches that would mitigate the risks exposed by Core Security. The graphic design software developer claims to have over 100 million active users in more than 75 countries.
Until fixes are rolled out, it is advisable not to use Corel software products to open files that come from untrusted sources.