Wednesday, May 04, 2016

Simple exploits use images to attack websites

Source: http://www.engadget.com/2016/05/04/imagemagick-web-exploits/

Would-be hackers don't always have to jump through hoops to bring down a website. Researchers have discovered relatively simple exploits in ImageMagick, a common package for processing pictures on the web, that let attackers run any code they like on a targeted server. If someone uploads a maliciously coded image and ImageMagick handles it, they could theoretically compromise both the site and anyone who visits it. That's particularly dangerous for forums and social networks, where user uploads are par for the course -- a vengeful member could wreck the site for everyone.

Thankfully, there are fixes. The ImageMagick team is closing the security holes within the next few days, and it's possible to thwart at least some attacks by either verifying the integrity of images or using a policy file to disable the susceptible features. The concerns are that these safeguards won't cover everything, or that website owners won't rush to shore up their defenses. It could be a while before you can assume that your favorite social sites are protected.

Via: Ars Technica

Source: ImageTragick, ImageMagick