Patch Management

IrfanView plug-in updated to fix arbitrary code execution flaw

April 28, 2017

The jpeg2000 (JP2) plug-in for the Windows-based image viewing and editing application IrfanView has been updated to address a vulnerability that can lead to arbitrary code execution, Cisco's Talos division has reported.

Discovered by Talos researcher Aleksandar Nikolic and officially designated CVE-2017-2813, the bug is an integer overflow error that results in a wrong memory allocation, which can then be exploited to perform code execution. 

"This vulnerability is specifically related to the way in which the plug-in leverages the reference tile width value in a buffer size allocation," Talos explains in the post. "There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out-of-bounds write vulnerability.

The vulnerability is triggered when the user views an image in the application or uses the application's thumbnailing feature, Talos notes.

The latest, patched version of the IrfanView plug-in is available via the IrfanView website.

"The problem is not in IrfanView itself; it is in an external third-party plugin," said InfanView creator Irfan Skiljan, in comments sent to SC Media. "Most users do not install plugins, so the problem is not affecting many IrfanView users."

prestitial ad