ImageMagick Vulnerability Exposes Image Processing Flaws
On Internet servers around the world, ImageMagick, a widely deployed technology for processing images for the Internet, is under attack via a vulnerability identified as CVE-2016-3714, a remote code execution issue that could enable an attacker to exploit an affected system.
The ImageMagick flaw, which is receiving the branded vulnerability treatment, is also known as ImageTragick. The initial flaw in ImageMagick was found by a security researcher known publicly only as "Stewie," who has a track record of responsibly disclosing flaws by way of the HackerOne bug-bounty system. Security researcher Nikolay Ermishkin from the Mail.Ru Security Team is credited with finding additional issues including the remote code execution condition.
The ImageMagick project is already providing some guidance to help mitigate the remote code execution risk and plans on issuing a software update soon.
"The ImageMagick policy was developed many years ago to help prevent possible exploits and is discussed here," a post on the ImageMagick forum states.
Widely deployed open-source ImageMagick image processing libraries are at risk from a flaw that attackers are already exploiting.
While a public proof of concept for the vulnerability was not immediately made available, one is coming, very soon. Tod Beardsley, security research manager at Rapid7, noted that there is a draft version for one of the ImageMagick vulnerabilities for review at the Metasploit Penetration Testing Framework open-source repository. Rapid7 is the lead commercial sponsor of the open-source Metasploit penetration testing framework.