Security researchers have discovered a critical vulnerability in ImageMagick, an image processor used by millions of websites. As of writing, there’s no fix for what’s being called ImageTragick and worse yet, it’s being actively exploited in the wild.
ImageMagick is a free, open-source piece of software used to supply the backbone library for image processing plugins like PHP's imagick, Ruby's rmagick, paperclip and node.js's imagemagick. It’s obscure enough that many webmasters likely don’t even realize they’re using it.
By using specially crafted malicious images, attackers can trick the software into running commands which then gives them the ability to perform remote code execution on compromised sites. From there, a bad actor can distribute malware, steal user data and even hijack the domain.
ImageMagick is aware of the flaw and attempted to fix it in version 6.9.3-9 that was released on April 30. As PCWorld notes, the patch didn’t quite get the job done and the issues remain.
Security researchers have already developed proof-of-concept exploits and as mentioned, there’s also evidence that people other than security researchers and ImageMagick developers have been tinkering with the flaw.
Administrators and developers are encouraged to check out this dedicated website for more information on the matter including how to mitigate the flaw until a permanent fix is dispatched. Separately, ImageMagick developers have suggested a policy-based mitigation tactic on their support forum.