A large number of websites have been exposed to hacking because of critical flaws in the ImageMagick library.
ImageMagick, an image processing software that is supported by a multitude of languages such as Ruby, Python, PHP, NodeJS and more, is used by numerous blogging and social media sites along with several content management systems to resize photos uploaded by their users.
Mail.Ru's security researcher Nikolay Ermishkin initially uncovered the code-execution vulnerabilities.
The flaws were reported to imageMagick's developers, who then provided a fix in a software version pushed out on April 30. The fix, however, is not complete yet, which means the image processing software can still be exploited.
Security researcher and developer Ryan Huber also discusses the vulnerabilities on a blog post published on May 3, saying sites that make use of the software to let end users upload photos are at risk of malicious attacks.
“We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them,” adds Huber. “An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.”
Moreover, researchers at security firm Suciri also explain how the security flaws work.
A post from the firm says that the bugs are easy to exploit. It goes on to say that the hacker only makes use of an image uploader tool leveraging this image processing software.
Suciri says it has discovered that several famous Web apps along with SaaS products are at risk of the vulnerabilities, adding it has already begun contacting the affected companies privately so they can patch holes.
“Unfortunately, even with all media attention, not everyone is aware of this issue,” says the security firm.
Suciri is the very same firm that revealed last year that a number of sites across the globe were in danger of being taken over by attackers because of a vulnerability found in Wordpress.
Since the disclosure of the ImageMagick bugs, some researchers have already managed to come up with proof-of-concept exploits.
For instance, researcher Dan Tentler says on Twitter he has made a proof-of-concept exploit that seems to work. Another PoC is also made available to the public, via GitHub.
The availability of these PoCs on the Web goes to show that the possibility of malevolent in-the-wild attacks is big, compromising the security of many sites across the globe.