Apple ImageIO Buffer Overflow in Processing JPEG2000 Images
Posted by Sachin Garg on 2nd October 2006 | Permanent Link
Mac OS X 10.4.8 Update and Security Update 2006-006 fixes a buffer overflow bug which could be used to execute arbitrary code simply by viewing a maliciously-crafted JPEG2000 image.
More details on the bug are not available, at least not yet. CVE ID for this vulnerability is CVE-2006-4391, just in case you want to try to find details later (SecurityTracker Alert ID: 1016953).
Security issues arising out of how applications handle compressed files (or for that matter any file) are not new and almost all major compressed formats have seen such issues. While there isn’t much that can be done when designing the formats, a slight consideration given to possibilities of such cases can help a lot in long run.
Developers of applications or core libraries which handle such file formats definitely need to be more careful. Last year when we saw such issues in more widely deployed GIF and JPEG formats, iDefense, a security intelligence company, in conjunction with Black Hat, made available tools that let researchers automate the discovery of file format vulnerabilities.
Prevention is of course better than cure.