Be Careful With JPEG 2000 Files So You don’t Get Hacked
A security issue referred to as a zero-day flaw in the JPEG 2000 image file format (often used to embed images in the PDF documents) has been discovered by security experts at Cisco Talos group. The vulnerability affects the image file format parser implemented in OpenJPEG (an open-source JPEG 2000 codec written in C language) library.
According to the security advisory Talos published, this flaw (first discovered by Aleksandar Nikolic of Cisco Talos) could allow arbitrary code execution. They even went on to successfully test and exploit the JPEG 2000 flaw on the OpenJPEG openjp2 2.1.1.
What’s The Big Deal?
To exploit this vulnerability, a hacker will need to trick the victim into opening a custom JPEG 2000 image file by for example, sending an email containing a PDF file to the victim or via other methods like Dropbox or Google Drive.
If the hacker succeeds, he can access out of the bounds memory which could result in a massive read and write of adjacent heap area memory due to an error while parsing mcc records in the jpeg2000 file.
The security advisory states:
The vulnerability lies in opj_j2k_read_mcc_record function in src/lib/openjp2/j2k.c file which is responsible for parsing mcc records.
A patch was released on the 29th of September following the zero-day flaw disclosure made to the vendor OpenJPEG on the 26th of July by the Talos experts.
Read more detailed information on the Talos website.