A New Way to Hack You Using an Image

We all know how popular JPEG images are. From using them for PowerPoint presentations to sending them to friends, via emails and several social media platforms, they’re easy to use. However, this is about change.

A security professional at Cisco Talos, Aleksander Nikolic, has discovered a new vulnerability in Open JPEG 2000 codec (openjp2 ver. 2.1.1), which allows the hacker to send codes and ultimately control your machine.

This dangerous flaw was discovered more than two months ago, when a researcher discovered the vulnerability in the Open JPEG’s library. This zero-day vulnerability has been dubbed CVE 2016 8332 by the professionals and can enable a massive attack, if triggered.

The Open JPEG is – as you can understand by its name – an open source JPEG 2000 codec, programmed in C language. The program was developed so that many people could use JPEG 2000, as it would compress large images and provide a decent standard image for using it on many platforms; it was largely used in PDF files, which was embedded using third party software.

However, the flaw that is named CVE 2016 8332 was discovered accidentally via the errors in MCC records in the image file, which allowed a faulty reading and writing of a batch of surrounding memory area. However, the researchers also discovered that once the errors were further studied, they allowed access to a lot of information that defined other data present in the memory.

The experts further stated that this flaw could be used by hackers to attack a victim, but in order to accomplish it, the hacker needs to send the corrupt image and trick the user into opening it. For instance, the hacker can send the image in an email or upload the image on a cloud server such as Dropbox, and provide links to other users to download it and view it. However, once it is on the target’s machine, it will allow the hacker to send commands to the user’s machine.

The good news is that the security company has informed the vendors before disclosing the vulnerability to the public, which bought them time to come up with a patch to seal this flaw.

Source: The Hacker News, Fossbytes, Security Affairs
Facebooktwittergoogle_plusredditpinterestlinkedinmail
Facebooktwittergoogle_pluslinkedinrssyoutube

Kartel Onyekachi Chidiagba

Kartel Onyekachi Chidiagba is the C.E.O of Seamgates Technology Solutions, & lead writer at TechieDigest. His passion for helping people in all aspects of online marketing flows through in the expert industry coverage he provides. He is a savvy techie personnel.