ImageMagick is a free and open-source software suite widely used on Linux systems for displaying, converting and editing images. It is also available for many other platforms, including Apple's OS X and iOS operating systems and Microsoft Windows. A code execution bug was recently found in the software by Nikolay Ermishkin. Another security researcher, Ryan Huber, reports that the bug would allow a malefactor to create a malformed image file that when uploaded to a web server that processes images with ImageMagick, e.g., to resize an image uploaded by a website visitor, can cause the server to execute code embedded in the image by the malefactor. Huber stated that the exploit is trivial to implement so one should expect that many malicious individuals will soon attempt to exploit the vulnerability to compromise websites. If such individuals can compromise a website, they may then be able to place code on sites that could infect unsuspecting website visitors with other malicious software.
Huber advised website owners using ImageMagick for image processing on their
sites to check the
magic number in uploaded image files to
verify that an uploaded file is an image file. Wikipedia provides a list
of common magic numbers at
List of
file signatures. One reason for ImageMagick's popularity is that it
supports a large number of different file formats, supporting over 200 file
formats. You can find a list of the supported file formats at
ImageMagick:
Formats. If you have ImageMagic installed, you can check on which formats
it supports on the installed system by issuing the command identify
-list format.
References:
-
Huge number of sites imperiled by critical image-processing vulnerability
By: Dan Goodin
Date: May 3, 2016
Ars Technica
