0-Days Exposed in Several Corel Applications

Researchers from Core Security have disclosed DLL hijacking vulnerabilities in several applications made by Corel Software after the vendor didn’t respond to Core’s notifications about the flaws.

UPDATE–Researchers from Core Security have disclosed DLL hijacking vulnerabilities in several applications made by Corel Software after the vendor didn’t respond to Core’s notifications about the flaws. There are no patches available for the bugs, which can allow remote code execution.

Corel sells a variety of graphics, design and video apps, including CorelDRAW, Photo-Paint and CAD, and security researchers at Core discovered that many of the apps contain a DLL hijacking vulnerability that can be triggered when a user opens a malicious DLL.

“When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document,” the advisory from Core says.

“This vulnerability is caused by a DLL Hijacking when a file associated with any of the following Corel applications is executed (CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF Fusion). The affected application should not be running for the vulnerability to work. The Corel software looks for a DLL file called ‘wintab32.dll’ and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application.”

The vulnerability affects many of Corel’s apps, including:

    . Corel DRAW X7 

   . Corel Photo-Paint X7 

   . Corel PaintShop Pro X7

   . Corel CAD 2014 

   . Corel Painter 2015 

   . Corel PDF Fusion 

   . Corel VideoStudio PRO X7 

   . Corel FastFlick 

The Core researchers contacted Corel about the vulnerabilities on Dec. 9, with no response, and again on Dec. 17, and again got no answer. They made a third attempt to contact Corel through Twitter, with no success, and released the advisory on Monday.

There are no patches available for the vulnerabilities.

“Corel is reviewing its products on a case-by-case basis to safeguard dynamic loading of DLL files, which is a common vulnerability in many Windows applications,” Corel said in a statement provided to Threatpost.

“Corel makes frequent updates to our applications and these changes have been made a priority for the next update of any affected Corel product. We would like to assure our users that we are not aware of any exploits of this issue with our software.”

This article was updated on Jan. 13 to add Corel’s statement.

Suggested articles