Brian Jackson - Fotolia

Cisco Talos finds severe JPEG 2000 flaw for remote code execution

Cisco Talos discovered a severe flaw in the JPEG 2000 image file-format parser -- which is often used in PDF documents -- that could allow remote code execution on affected systems.

Cisco Talos discovered an exploitable zero-day vulnerability in the JPEG 2000 image file-format parser in the OpenJPEG library, which could allow remote code execution on vulnerable systems.

The OpenJPEG project released a patch for the flaw, which was assigned a Common Vulnerability Scoring System v3 severity rating of 7.5, or high severity. The JPEG 2000 file format is used most often for images embedded in PDF documents. A successful exploit would give an attacker the ability to execute arbitrary code against the system of a user who opens a malicious JPEG 2000 file, or a PDF document that contains such a file.

"Due to an error while parsing mcc records in the JPEG 2000 file, out-of-bounds memory can be accessed, resulting in an erroneous read and write of adjacent heap-area memory," according to the Talos vulnerability report. "Careful manipulation of heap layout can lead to further heap metadata process memory corruption, ultimately leading to code execution under attacker control."

According to Cisco Talos, the vulnerability "could allow an out-of-bound heap write to occur, resulting in heap corruption and leading to arbitrary code execution."

"Exploitation of this vulnerability is possible if a user were to open a file containing a specifically crafted JPEG 2000 image that exploits this flaw. Examples where this could be achieved would be in an email attack, where a user opens an attachment in a spam [or] phishing email, or in a hosted-content scenario, where a user downloads a file from Google Drive or Dropbox."

Talos also noted that because the OpenJPEG library is incorporated in several PDF renderers, it makes "PDF documents a likely attack vector." According to the Talos report, the company disclosed the JPEG 2000 flaw to affected vendors on July 26. The flaw was first discovered in OpenJPEG version 2.1.1 by Cisco Talos security researcher Aleksandar Nikolic.

According to the OpenJPEG website, OpenJPEG is an open source JPEG 2000 codec written in the C language, "developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group." OpenJPEG was recognized as a JPEG 2000 reference implementation in May 2015 by ISO/IEC and ITU-T.

The vulnerability was assigned to CVE-2016-8332 and patched in version 2.1.2, released on Sept. 28.

Next Steps

Find out more about why Oracle started using the CVSS v3 standard for specifying vulnerability severity.

Learn about the next wave of ransomware, according to Cisco Talos.

Read about why Shellshock got a CVSS rating of 10.0.

Dig Deeper on Application and platform security