More threads by David Baxter PhD

David Baxter PhD

Late Founder
25% of computers have vulnerable IrfanView installed

The vulnerability is easily exploitable, as it only requires that a user is tricked into opening a specially crafted palette (.PAL) file.

Secunia Advisory: SA26619
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: IrfanView 3.x, IrfanView 4.x < 4.10

Description: Secunia Research has discovered a vulnerability in IrfanView, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when importing palette (*.pal) files. This can be exploited to cause a stack-based buffer overflow by tricking a user into importing a specially crafted palette (*.pal) file.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.00. Other versions may also be affected.

Solution: Update to version 4.10 -
Replying is not possible. This forum is only available as an archive.