Researchers are warning about a newly discovered security vulnerability in a popular open-source JPEG 2000 parser that could let corrupted image files trigger remote code execution.
Cisco-owned security firm Talos warns that by embedding a malformed image file into a web page, PDF file, or email message, an attacker could gain control over the targeted system simply by the user loading the page or message in a vulnerable application.
The flaw itself (designated CVE-2016-8332) involves the mishandling of mcc data by the OpenJPEG library. This, in turn, leads to an out-of-bounds heap write that, if set up correctly, could allow attack code to be loaded and executed in memory.
Software including Poppler, MuPDF and Chrome's PDFium plus various medical imagine processing packages use the vulnerable OpenJPEG library, meaning it is possible to exploit this latest programming blunder to attack users.
"Due to an error while parsing mcc records in the jpeg2000 file, out-of-bounds memory can be accessed, resulting in an erroneous read and write of adjacent heap area memory," Talos reports.
"Careful manipulation of heap layout ... can lead to further heap metadata process memory corruption, ultimately leading to code execution under attacker control."
While not as popular as competing image compression formats like PNG or its JPEG predecessor, the JPEG 2000 format is commonly used for the images embedded in PDF files.
Talos notes that the most likely scenario would be to put a malformed data within a PDF and then execute malicious code once the document is viewed. Making matters worse, says Talos, is that modern web browsers will display the booby-trapped PDF document within the browser window.
OpenJPEG 2.1.2 was released on September 28 to address the security flaw. Linux distros and similar operating systems should be pushing the patched library to users to install; applications statically built with the code will need to be updated by their developers, and then downloaded and installed to avoid any exploitation.
Discovery of the bug was credited to Aleksandar Nikolic of Cisco Talos, who found a very similar OpenJPEG blunder back in June. ®