Network Security, Patch/Configuration Management, Vulnerability Management

IrfanView plug-in updated to fix arbitrary code execution flaw

The jpeg2000 (JP2) plug-in for the Windows-based image viewing and editing application IrfanView has been updated to address a vulnerability that can lead to arbitrary code execution, Cisco's Talos division has reported.

Discovered by Talos researcher Aleksandar Nikolic and officially designated CVE-2017-2813, the bug is an integer overflow error that results in a wrong memory allocation, which can then be exploited to perform code execution. 

"This vulnerability is specifically related to the way in which the plug-in leverages the reference tile width value in a buffer size allocation," Talos explains in the post. "There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out-of-bounds write vulnerability.

The vulnerability is triggered when the user views an image in the application or uses the application's thumbnailing feature, Talos notes.

The latest, patched version of the IrfanView plug-in is available via the IrfanView website.

"The problem is not in IrfanView itself; it is in an external third-party plugin," said InfanView creator Irfan Skiljan, in comments sent to SC Media. "Most users do not install plugins, so the problem is not affecting many IrfanView users."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.