• Resco Photo Viewer 4.11
• Resco Photo Viewer 6.01

This security advisory explains a vulnerability in Windows Mobile 5.0, Windows Mobile 2003, and Windows Mobile 2003 Second Edition when processing .PNG files, causing remote code execution.

It enables a remote attacker to execute arbitrary code when viewing a malformed .PNG file using Resco Photo Viewer versions 4.11 and 6.01.

This vulnerability can be exploited through a break-in attack scenario. In this scenario, an attacker attempts to gain complete or partial control of an affected mobile device either through code injection or exploitation of programming errors. These scenario affects Resco Photo Viewer if a user handles a malformed .PNG file via the said image viewer.

An attacker who successfully exploits this vulnerability could then steal data, steal critical user information, and incur charges to the affected user for the premium Short Message Service (SMS) messages initiated by the attacker.