A security researcher (Dillon Beresford) has identified a security vulnerability in NJStar MiniSMTP Server version 1.33 or older. MiniSMTP.exe is included for sending emails in the following 4 NJStar software:
1. NJStar Communicator v2.x and v3.0.
2. NJStar Chinese WP v4.x and v5.x,
3. NJStar Japanese WP v4.x and v5.x
4. NJStar Chinese Calendar v2.x.
The vulnerability is caused due to a boundary error in the handling of SMTP communication. This can be exploited remotely to cause a stack-based buffer overflow and execute arbitrary code if,
- MiniSMTP.exe v1.x is running on a user's PC, you will see the icon in systray,
(Even you are using one of above NJStar programs, MiniSMTP.exe will not run until you want to send an email using NJStar's send mail function and have configured 'localhost' as SMTP server.)
- User's PC is connected directly to Internet without firewall with public IP address (not as 192.168.x.x, 10.x.x.x)
This vulnerability has been fixed by safe guarding all buffers and dis-allowing all SMTP connections form Internet. All users of NJStar Software (shareware or registered versions) are recommended to update each of the installed NJStar Software to the latest versions:
or download a single MiniSMTP v3.0 upgrade below to update all installed NJStar Software.