A vulnerability in the open-source OpenJPEG library responsible for encoding and decoding JPG images could allow cybercriminals to execute malicious code on a victim’s machine by creating malicious JPG files.
Because the maliciously crafted image can be distributed either by itself or embedded in a PDF document, attackers could infect victims via URLs linking to the image or by sending infecting email attachments through spam campaigns. The vulnerability involves manipulating the heap layout and executing arbitrary code, according to researchers.
“Due to an error while parsing mcc records in the jpeg2000 file, out of bounds memory can be accessed resulting in an erroneous read and write of adjacent heap area memory,” reads the CVE-2016-8332 report by Cisco Talos. “Careful manipulation of heap layout and can lead to further heap metadata process memory corruption ultimately leading to code execution under attacker control.”
Because the vulnerability is relatively easy to exploit and has serious consequences, it has been rated with a 7.5 vulnerability score. Popular PDF readers that rely on the library, such as Poppler, MuPDF and Pdfium, were deemed as affected by the issue.
As the vulnerability was reported in late July, it has since been patched in the latest 2.1.2 release of the OpenJPG library.
While this is not the first time vulnerabilities in the OpenJPEG library have been reported, developers using it are strongly encouraged to update the library to its latest version. As for the average user, keeping all software up to date ensures such vulnerabilities cannot be exploited and used to infect their PCs.