Software Integrity

 

ImageMagick vulnerability could allow remote attacks using malformed image files

A vulnerability in a popular software suite used to resize and re-produce image files in a variety of file formats could also allow remote command execution on a compromised web site.

Security researchers last week discovered a heap overflow and an out-of-bounds read bug in ImageMagick, a software suite used to create, edit, compose, or convert bitmap images into a variety of file formats. Web sites use the suite to resize a user-defined avatar, for example. The researchers – more than one has been named — discovered that a remote attack on this suite could execute arbitrary code by hiding it inside image files that a user uploads.

Officially the vulnerability is known as CVE-2016-3714 and includes improper input validation (CWE 20). Informally the vulnerability is known as ImageTragick and has its own web page.

At the same time more vulnerabilities were disclosed on Wednesday by security researcher Hanno Böck, namely one heap buffer overflow in the PICT parser and one heap out of bounds read in the PSD parser.

A fix in the form a new release is available on the ImageMagick site. Alternatively a work around requires effected sites to update their configurations to implement these policies.