ImageMagick vulnerability exposes countless websites to exploit

The image processing software gives attackers the chance to perform remote code execution through vulnerable domains.
Written by Charlie Osborne, Contributing Writer

Researchers have discovered that a critical image processing library has a severe vulnerability which has left a vast amount of websites open to attack.


You may not have heard of ImageMagick, but the free, open-source software has been around for some time -- and countless websites rely on the suite for image processing.

ImageMagick supplies the backbone library for image processing plugins, including PHP's imagick, Ruby's rmagick, paperclip and node.js's imagemagick.

It is only through these suites that image uploads, blogging and galleries are possible, and many webmasters are using ImageMagick without even realizing it.

The software is a set of command-line programs which make the bulk processing of images easier, as noted by Naked Security. This is a common feature of many websites, and now, a critical flaw within the software is placing these domains at risk of cyberattack.

The vulnerability, CVE-2016-3714, was discovered by security researcher Stewie and the ramifications of the security flaw were explored by Nikolay Ermishkin from Mail.Ru's security team.

If exploited, CVE-2016-3714 allows malicious image uploads to trick ImageMagick into running commands, giving attackers the opportunity to perform remote code execution on compromised domains. This could permit hackers to hijack domains, distribute malware and steal data.

According to the researchers, the vulnerability is being actively exploited in the wild and is "trivial" as a security issue -- despite the severity of the damage it can cause -- so should not take long to patch.

Proof-of-concept (PoC) images are yet to be released but are expected to land Wednesday.

The ImageMagik team has acknowledged the flaw and recommends that webmasters use this suggested policy.xml workaround to mitigate the threat until a patch is released. The research team also suggests verifying that images start with the correct "magic bytes" signatures before processing.

Stewie and Nikolay say the mitigation technique is effective against the exploit samples they have seen, but "cannot guarantee they will eliminate all vectors of attack."

Top gadgets and apps to protect your mobile devices

Read on: Top picks

Editorial standards