ImageMagick Vulnerability Discovered, Users Could Be Uploading a “Poisoned Selfie”

imagemagick-vulnPopular image-processing tool ImageMagick has been found to have a bug that could expose websites to attacks, reports say. The security bug allows infected images to trick a web server into execute malicious code that could be used to harvest data or snoop on user accounts. The discovered vulnerability affects web services that utilize ImageMagick and those that allow users to upload images.

ImageMagick is a “software suite to create, edit, compose or convert bitmap images.”  Social media platforms, blogging sites, and content management systems use this software to resize and tweak images sent and uploaded by end users.

In a statement, ImageMagick acknowledged the reports, saying, “We have recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system.

Security researchers under the name Stewie and security engineer Nikolay Ermishkin were behind the discovery of the vulnerability. While further details have yet to be shared, the information on the security flaw is a cause for concern, according to security experts, as the details of the vulnerability has surfaced prior to creating fixes that could limit possible damages. The available information about the bug places security experts in a cat-and-mouse race with exploit writers to keep servers worldwide secure before getting compromised.

Security researcher Ryan Huber noted in a blog post, “We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities make this a critical issue for everyone using this software.” In fact,40 minutes following the disclosure and reports of the vulnerability, a proof-of-concept exploit has already been created and proven to have worked.

As of this writing, the company has not issued any patch for the vulnerability but encouraged website administrators to append several lines of code to configuration files to thwart any possible exploits. Apart from this, web application coders are also urged to examine sandboxing ImageMagick to limit access. By week’s end, it is said that versions 7.0.1-1 and 6.9.3-10 will cover necessary patches from the uncovered vulnerability.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Опубликовано в Vulnerabilities & Exploits, Vulnerabilities