Critical vulnerability in IrfanView plugin
The official plugin package for the popular image viewer IrfanView is currently shipped with a vulnerable version of the FlashPix plugin. The code contains a critical vulnerability which could be exploited an attacker to infect a system with malicious code; the hole is caused by a heap buffer overflow.
An attacker merely needs to get a user to open a specially crafted FlashPix format image with IrfanView to get their code to run. Admittedly, this is a relatively exotic file format which might not be opened deliberately, but it opening the file could also occur unknowingly, for example, when looking at a folder full of images and browsing their thumbnails with IrfanView.
The FlashPix hole is patched in version 4.34 of the plugin pack but it must be reinstalled manually. The gap was discovered by security researcher Francis Provencher who reported it, confidentially, to Secunia. He has since released a proof of concept, which means that IrfanViw users who have installed the plugin package should update as soon as possible. A month ago, a similar issue in the XnView image viewer was also fixed.