CVE-2022-24457 HEIF Image Extensions Remote Code Execution Vulnerability.

CVE-2022-24457 HEIF Image Extensions Remote Code Execution Vulnerability.

The issue was discovered by Michal Zalewski from Google’s Project Zero team. The vulnerability affects the JPEG and PNG image formats, allowing remote attackers to execute arbitrary code on vulnerable installations of Heif-enabled applications. The attack vector is related to image parsing, as the affected formats allow the inclusion of arbitrary JavaScript code. The problem exists in the handling of PNG and JPEG images with a ‘magic’ value of 80 (PNG) or 49 (JPEG) that contain JavaScript code. If a user were to view a maliciously crafted image on a website, the JavaScript code would be executed in the context of the user’s web browser. The severity of the issue depends on the type of application using the Heif image format. An attacker can exploit the vulnerability via any of the following scenarios: In a web application that uses the Heif image format, an attacker can host a crafted image on a website. When the user visits the website and views the image, the code is executed in the context of the user’s web browser. In a mobile application that uses the Heif image format, an attacker can send a crafted application to a user’s device. When the user launches the application, the code is executed in the context of the user’s mobile device. In a native application that uses the Heif image format, an attacker can send a crafted application to a user’s device. When the user launches the application

Finding and fixing Heif vulnerabilities

Heif is a common format for the storage of JPEG and PNG images in web pages. This vulnerability affects all versions of the software, including in Adobe Photoshop, Illustrator, InDesign, CorelDRAW and Microsoft Office applications.
The vulnerability was discovered by Michal Zalewski from Google’s Project Zero team. The issue has been assigned CVE-2022-24457. If you have any Heif-enabled applications on your network that are vulnerable to this issue, please contact your IT administrators immediately. Your IT administrators will be able to help mitigate this issue by ensuring that the appropriate patches have been applied on their systems. Please note that this patch will only prevent malicious JavaScript code from being executed; it will not eliminate the risk of attackers exploiting this vulnerability more generally.

Vulnerability overview

The vulnerability was discovered by Michal Zalewski from Google’s Project Zero team. The issue affects the JPEG and PNG image formats, allowing remote attackers to execute arbitrary code on vulnerable installations of Heif-enabled applications. The attack vector is related to image parsing, as the affected formats allow the inclusion of arbitrary JavaScript code.
The problem exists in the handling of PNG and JPEG images with a ‘magic’ value of 80 (PNG) or 49 (JPEG) that contain JavaScript code. If a user were to view a maliciously crafted image on a website, the JavaScript code would be executed in the context of the user’s web browser. The severity of the issue depends on the type of application using the Heif image format. An attacker can exploit the vulnerability via any of the following scenarios:
In a web application that uses the Heif image format, an attacker can host a crafted image on a website. When the user visits the website and views the image, the code is executed in the context of the user’s web browser. In a mobile application that uses the Heif image format, an attacker can send an app to a user’s device. When they launch it, it is executed in their mobile device's context and would have access to all available resources on their device (e.g., camera). In a native application that uses Heif format, an attacker could send an app to a user's phone when

What is Heif?

Heif is a format that allows users to send small images and videos of up to 1 megabyte in size. Despite the small file size, it supports progressive image loading, which means that the image or video will not be fully loaded until the user actually needs it.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe