Discovered yesteryear safety researchers at Cisco Talos group, the zero-day flaw, assigned equally TALOS-2016-0193/CVE-2016-8332, could permit an out-of-bound heap write to hap that triggers the heap corruption in addition to leads to arbitrary code execution.
OpenJPEG is an open-source JPEG 2000 codec. Written inwards C language, the software was developed for coding in addition to encoding JPEG2000 images, a format that is ofttimes used for tasks similar embedding ikon files inside PDF documents through pop software including PdFium, Poppler, in addition to MuPDF.
Hackers tin exploit the safety vulnerability yesteryear tricking the victim into opening a particularly crafted, malicious JPEG2000 ikon or a PDF document containing that malicious file inwards an email.
The hacker could fifty-fifty upload the malicious JPEG2000 ikon file to a file hosting service, similar Dropbox or Google Drive, in addition to therefore shipping that link to the victim.
Once downloaded to the system, it would practise a means for hackers to remotely execute malicious code on the affected system.
The flaw was caused "due to an mistake piece parsing mcc records inwards the jpeg2000 file,...resulting inwards an erroneous read in addition to write of following heap surface area memory," Cisco explained inwards its advisory.
"Careful manipulation of heap layout in addition to tin Pb to farther heap metadata procedure retentiveness corruption ultimately leading to code execution nether assailant control."
The researchers successfully tested the JPEG 2000 ikon exploit on the OpenJPEG openjp2 version 2.1.1. The flaw was discovered yesteryear Aleksandar Nikolic from the Cisco Talos Security team.
The squad reported the zero-day flaw to OpenJPEG developers inwards belatedly July, in addition to the society patched the flaw final calendar week amongst the release of version 2.1.2.
The vulnerability has been assigned a CVSS grade of 7.5, categorizing it equally a high-severity bug.
