This vulnerability was discovered by Yves Younan.

Talos, in coordination with FreeImage, is disclosing the discovery of TALOS-2016-0189 / CVE-2016-5684.

FreeImage is widely used software integrated into over 100 products ranging from free to paid licensing and include multimedia software, games, developer tools, PDF generators and more.  FreeImage makes use of a common file format created by Adobe, Extensible Metadata Platform (XMP) that allows real-time managing of metadata.  Per Adobe, the XMP file format, allows users to “embed metadata into files themselves during the content creation process”, and FreeImage’s 3.17.0 integration of this file format into its software is vulnerable to an overflow in the “Colors Per Pixel” value of an XMP image.  Generally speaking, when FreeImage 3.17.0 opens an XMP file with a large enough Colors Per Pixel value, i.e. the number is too large, it is not handled properly by follow-on code in the function that uses it. You can liken it to taking a 99 oz. glass, turning on the faucet, and filling it up with 100+ ounces of water.  The water spills over and gets into areas you don’t want it to be.  In technical terms, the large value is not properly validated during the code execution and it can trigger an out of bounds write.  This causes an arbitrary memory overwrite that can effectively result in remote code execution. This is likely to be exploited if someone sends you a maliciously crafted image file as an email attachment or possibly via an instant message.

Due to the widespread integration and the relative ease with which the vulnerability can be exploited, we strongly encourage anyone using software that integrates FreeImage to patch their platforms as soon as possible.  A list of software can be found on FreeImage’s site here.

FreeImage patched this vulnerability in CVS on August 7th, however they have not released a new version of the software. If you use FreeImage, it is recommended that you update to the CVS version to avoid being exposed to this vulnerability.

For the full technical details regarding this vulnerability, please refer to the vulnerability advisory which can be found on our website here.

Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 39883 & 39884

For further zero day or vulnerability reports and information visit: