1 min read

OpenJPEG Vulnerability Allows Execution of Malicious Code Using Crafted Images

Liviu ARSENE

October 04, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
OpenJPEG Vulnerability Allows Execution of Malicious Code Using Crafted Images

A vulnerability in the open-source OpenJPEG library responsible for encoding and decoding JPG images could allow cybercriminals to execute malicious code on a victim”s machine by creating malicious JPG files.

Because the maliciously crafted image can be distributed either by itself or embedded in a PDF document, attackers could infect victims via URLs linking to the image or by sending infecting email attachments through spam campaigns. The vulnerability involves manipulating the heap layout and executing arbitrary code, according to researchers.

“Due to an error while parsing mcc records in the jpeg2000 file, out of bounds memory can be accessed resulting in an erroneous read and write of adjacent heap area memory,” reads the CVE-2016-8332 report by Cisco Talos. “Careful manipulation of heap layout and can lead to further heap metadata process memory corruption ultimately leading to code execution under attacker control.”

Because the vulnerability is relatively easy to exploit and has serious consequences, it has been rated with a 7.5 vulnerability score. Popular PDF readers that rely on the library, such as Poppler, MuPDF and Pdfium, were deemed as affected by the issue.

As the vulnerability was reported in late July, it has since been patched in the latest 2.1.2 release of the OpenJPG library.

While this is not the first time vulnerabilities in the OpenJPEG library have been reported, developers using it are strongly encouraged to update the library to its latest version. As for the average user, keeping all software up to date ensures such vulnerabilities cannot be exploited and used to infect their PCs.

tags


Author


Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past few years.

View all posts

You might also like

Bookmarks


loader