In association with heise online

03 April 2007, 10:47

Multiple vulnerabilities in ImageMagick image editing software

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Multiple vulnerabilities in the popular open source image editing program ImageMagick can be exploited by an attacker to inject malicious code onto a victim's PC. According to security services provider iDefense, opening a prepared image in DCM (Digital Imaging and Communications in Medicine) or XWD (X Windows Dump) format is sufficient to trigger the exploit. Because parts of the ImageMagick tool collection are used by web services, for example to produce automatically thumbnails of uploaded images, servers may also be affected by this problem. Other applications also make use of tools offered by ImageMagick. All of the vulnerabilities are the result of buffer overflows when reading images.

While the DCM format is not particularly widely used, according to iDefense, ImageMagick does not recognise formats by the file extension, but by the content. Thus a prepared DCM image can be disguised as a JPG file. ImageMagick versions 6.3.x and 6.2.9 are affected. The bug is fixed in the official release 6.3.3-5 for Windows and Unix, which is already available. Linux distributors are likely also to release new packages shortly.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-732589
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit