ImageMagick, the open source image processing software has now issued patches for a large number of recently disclosed vulnerabilities that could have left several websites at risk of being hacked.
Some of these vulnerabilities included hackers being able to remotely execute codes by uploading malicious images.
Although the ImageMagick has said that they are not aware of any of such hacking incidents which have used the company’s vulnerabilities, but some experts have claimed that they are being used wildly.
An IT expert, Dan Tentler even uploaded a screenshot of the same on his Twitter account.
ImageMagick is widely used
The software has the ability to read and write over 200 different image formats. It is used by several online websites, blogs, content management systems and image processing plug-ins.
The bug in the software was actually discovered by a security researcher Nikolay Ermishkin who works for a Russian Internet company and ‘Stewie’.
They also created a website called ImageTrick which lists down all the vulnerabilities present in the software. Mainly created for admins and software developers, the website also includes steps to be taken while the company releases a successful patch.
Suciri, website security firm, published their own independent report on the vulnerabilities of ImageMagick. According to this report, filenames of the uploaded images are not properly filtered before they are sent to the server for further processing.
This is the reason why any hacker can embed a malicious code into any image, upload it and get past ImageMagick’s file check process simply by renaming the file extension to a traditional image file format like jpg or png.
This can basically compromise security of both the website and the people who visit it.
The founder of Suciri, wrote, “The vulnerability is very simple to exploit. An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.”
The company first responded about this vulnerability on 3rd May and developed two patches for the same. A few lines of code needed to be added in the configuration files to block any access to the hackers.
But some experts still believe that these measures are incomplete.
Website owners would either have to wait for an efficient patch and find their own way through.
Though ImageTrick has also said that the developers should keep a check on the integrity of all the files that are uploaded. Also, if the mitigation steps cannot be done immediately, then no images should be uploaded until they are.
