Reference: CERT-EU Security Advisory 2016-124
Title: Critical vulnerability in ImageMagick allowing remote code execution
Version history: 04/05/2016 Initial publication.


Summary:
========
On May 3rd, 2016, security researchers reported several bugs in ImageMagick [1], a package commonly used by web services to process images. [2][3]

One of the vulnerabilities can lead to remote code execution (RCE) if a website process user submitted images.

This vulnerability is referenced by CVE-2016=E2=80=933714.


Products Affected:
==================
Affected versions of ImageMagick are all versions prior to: 7.0.1-1 and 6.9.3-10.

A Proof Of Concept is available [4]


Recommendations:
===============
Update ImageMagick to the latest version.

A workaround is to add an extra check for valid "magic bytes"= in uploaded images before their processing and/or editing the policy file to disable the vulnerable ImageMagick codecs. [2]


References:
==========
[1] https://www.imagemagick.org/script/index.php
[2] https://imagetragick.com/
[3] http://www.openwall.com/lists/oss-securit= y/2016/05/03/18
[4] https://twitter.com/Viss/status/727613890020806= 656


Best Regards,

CERT-EU Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/e= n/cert_privacy.html