The wave of a wand won't patch the security bug found in ImageMagick

A security bug in ImageMagick, the free open source image processing software, is allowing cyber-criminals to attack vulnerable servers from afar.

The vulnerability (CVE-2016-3714) allows booby-trapped image uploads to fool the ImageMagick software into running commands, letting attackers remotely execute code on web servers and other computers and take over websites. Cyber-crooks are aware of the vulnerability and are exploiting it in the wild.

If using ImageMagick, apply these mitigations, and tweak your code so that it only accepts valid image files. Sandboxing ImageMagick may also work.

“This is yet another example of an open source vulnerability that was detected and publicly announced by a security researcher but has yet to be documented in the National Vulnerability Database (NVD),” said Patrick Carey, director of product marketing at Black Duck Software in comments emails to SC.  “We all rely on open source these days and this demonstrates why you need to do more than simply rely on NVD RSS feeds or email lists to stay on top of new vulnerabilities. Whether they build software with open source or simply use it as part of their web infrastructure, organisations need to invest in solutions that enable them to proactively detect and manage open source vulnerabilities like this.”

ImageMagick is working on a patch, however, at the time of writing no patches to completely address the flaws have been made available. Details of the vulnerability have not been disclosed yet either to reduce the risk of copycat exploits.