Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huge Number Of Sites Imperiled By Critical Image-Processing Vulnerability (arstechnica.com)

Posted by msmash on from the security-woes dept.

Dan Goodin, reporting for Ars Technica: A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users. According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security. "The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."

3 of 104 comments (clear)

  1. Re:Its as secure as the programmer does .. by Flavianoep · · Score: 3, Interesting

    [1] http://www.fefe.de/

    That is the most Spartan website I've seen ever, and I am talking about the source too.

    --
    Linux is for people who don't mind RTFM.
  2. Re:Its as secure as the programmer does .. by dgatwood · · Score: 4, Interesting

    From all information I overlook I can say, yes in "C" it is incredible easy to make simple errors with hugh consequences - choosing types for example. However "C"-programming can be made more secure with a strict application of certain rules especially on "forbidden" & dangerous constructions. The missconception why "C" is deemed as an insecure language is that much of the code in use stems from the "ancient" times, when such code was mostly not exposed to the raw unforgiving "force" of the internet.

    This—in much the same way that the huge number of PHP SQL injection attacks is not because PHP's SQL APIs are insecure, but rather because so much code is still around that was built against early APIs that lacked modern security features like template-based queries. Eventually, every language gets these sorts of complaints, and always for the same reason; most code out there is in a constant state of "deprecated, but still works, so we aren't going to touch it".

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Re:C for insecurity by grumbel · · Score: 3, Interesting

    I'd blame the OS instead. Giving each process full access to the system just isn't a good way to do things and constantly leads to problems like this. Python can stop some those problems, but it provides by no means a secure sandbox. If you access the filesystem in Python, you still have full access to the filesystem. In cases such as this the process should be limited to exactly the data it needs to get the job done, meaning an input image, an output location and a bunch of configuration parameter.