Cisco Talos researchers have uncovered a severe zero-day flaw in the OpenJPEG JPEG 2000 codec which could lead to remote code execution on compromised systems. This flaw has been given the code name CVE-2016-8332, with a CVSS score of 7.5 and it is being regarded as an out-of-bounds vulnerability. This means, this vulnerability can heap write to occur, which can result in arbitrary code execution and heap exploitation. OpenJPEG is a JPEG 2000 codec, which is programmed in C language and is an image compression standard, which is commonly used for a variety of tasks such image embedding in PDF files through software including Poppler, MuPDF and Pdfium.
Because the maliciously crafted image can be distributed either by itself or embedded in a PDF document, attackers could infect victims via URLs linking to the image or by sending infecting email attachments through spam campaigns. The vulnerability involves manipulating the heap layout and executing arbitrary code, according to researchers.
According to the report:
Due to an error while parsing mcc records in the jpeg2000 file, out of bounds memory can be accessed resulting in an erroneous read and write of adjacent heap area memory. Careful manipulation of heap layout and can lead to further heap metadata process memory corruption ultimately leading to code execution under attacker control.
Cisco Talos disclosed the vulnerability to affected vendors in July, granting them time to prepare patches to fix the problem before public release. The affected version of OpenJPEG was 2.1.1 and has since been patched in version 2.1.2 of the OpenJPEG library.