DLL hijacking vulnerabilities in several applications developed by Corel Software that could allow an attacker to execute arbitrary commands on victims' computer, potentially affecting more than 100 million users. Security researchers have disclosed local zero dayvulnerabilities in several applications developed bythat could allow an attacker to execute arbitrary commands on victims' computer, potentially affecting more than 100 million users.





The security holes were publicly disclosed by Marcos Accossatto from a vulnerability research firm Core Security after the vendor didn't respond to his private disclosure about the flaws.





Corel develops wide range of products including graphics, photo, video and other media editing programs. According to the researcher, when a media file associated with one of the vulnerable Corel products is opened, the product also loads a specifically named DLL (Dynamic Link Library) file into memory if it's located in the same directory as the opened media file.

These DLL files contain executable code which could allow an attacker to install malware on victims' computers by inserting malicious DLLs into the same directory as the document.

"Given that this is a client-side vulnerability, affected users should avoid opening untrusted files whose extensions are associated with Corel software and contain any of the [affected] DLL files," Accossatto said in an advisory.

"When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document."

VULNERABLE COREL PRODUCTS

At least eight Corel products are all affected by the vulnerabilities including:

CorelDRAW X7

Corel Photo-Paint X7

Corel PaintShop Pro X7

CorelCAD 2014

Corel Painter 2015

Corel PDF Fusion

Corel VideoStudio PRO X7

Corel FastFlick

Corel was warned of the vulnerabilities in its products on December 9, 2014, followed by another email on December 17, 2014 with a request to confirm receiving the previous message. But there was no response from the vendor. The Core team then contacted the company again via Twitter on January 2, but again received no response, hence disclosed it publicly.



STATEMENT FROM TEAM COREL

There are no patches available for the vulnerabilities yet.

"Corel is reviewing its products on a case-by-case basis to safeguard dynamic loading of DLL files, which is a common vulnerability in many Windows applications," said Jessica Gould, senior communications manager for Corel, in a statement Tuesday.