ImageMagick Vulnerabilities Place Countless Websites at Risk, Active Exploitation Confirmed

Yesterday afternoon May 3rd, 2016 Slack security engineer Ryan Huber posted an article warning about surrounding vulnerabilities in ImageMagick, an image manipulation software solution installed on millions of Web sites.

“If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):” says Ryan Huber.  We have included these solutions below at the bottom of this post.

This vulnerability not only affects the core ImageMagick software, but any third-party software compiled with the ImageMagick libraries, such as server running PHP’s imagick, Ruby on Rails rmagick and paperclick, NodeJS’s ImageMagick, and possibly other software solutions out there.

Attackers are essentially uploading malicious images to web applications whether it be forums, or WordPress applications, Drupal applications, etc., and using the ImageMagick library to execute remote code on affected servers.

You can visit the site here to read more about this critical vulnerability, and how to possibly protect yourself.

Due to the severity of this bug, we do not expect a long wait for an official update, but we do recommend in the interim that you should try to protect yourself from the exploit by one of these two workarounds:

  1. Use a different image processing library, like gMagick. This solution may have reduced functionality, but given that severity of the ImageMagick exploit, it is better to be safe than sorry.
  2. Verify that all the images processed through ImageMagick have the correct magic bytes or signatures before processing the image.  A list of magic bytes can be located here.