back to article Extreme photo-bombing: Bad ImageMagick bug puts countless websites at risk of hijacking

A wildly popular software tool used by websites to process people's photos can be exploited to execute malicious code on servers and leak server-side files. Security bugs in the software are apparently being exploited in the wild right now to compromise at-risk systems. Patches to address the vulnerabilities are available in …

  1. find users who cut cat tail

    Death by magic

    The ‘magic’ part of ImageMagick is the problem here. One of its main selling points is that it just works and does something at least kind-of-useful with almost any file type you might want to convert to an image and process so. Which is very nice when you need it.

    But it is also exactly the wrong approach for untrusted input.

    Does a web image gallery really need converters from PoV-Ray, manual pages and HTTPS (sic)?

    1. Dan 55 Silver badge

      Re: Death by magic

      The way to do that is one process reads the input but does nothing with it and hands it off to another with reduced privileges which processes it. It means stack smashing programs are confined to relatively harmless processes. If combined with BSD's pledge() then even better.

  2. Anonymous Coward
    Anonymous Coward


    Just please tell me that picture associated with the article will never invade my space. No worries probably as way too hip for me.

    1. Anonymous Coward
      Anonymous Coward

      Re: wow

      Really? I can't quite see the style properly (the disadvantage of selfies is the presence of people where you'd expect the interesting part to be), but it strikes me as Thai or in that region. What's your problem with that?

      It's part of the places worth seeing IMHO.

  3. Anonymous Coward
    Anonymous Coward

    No news on GraphicsMagick..

    ImageMagick got forked quite a while back, and the result was GraphicsMagick which purports to be more efficient. No news there yet of any updates - maybe they dodged this one..

    1. Anonymous Coward
      Anonymous Coward

      Re: No news on GraphicsMagick..

      I assume GraphicsMagick is vulnerable, and may take longer to get fixed. It has a /etc/ImageMagick/policy.xml file... I'm patching it.

      1. Anonymous Coward

        Re: No news on GraphicsMagick..

        Ok, my assumption was wrong. At first glance, anyway, GraphicsMagick is NOT vulnerable to these attacks. GraphicsMagick FTW.

  4. allthecoolshortnamesweretaken

    "According to Slack security engineer Ryan Huber, ...

    I'd like to see how he phrased that in his CV.

  5. BongoJoe

    I have never understood selfies. If one is in front of a wonderful view then take that view but don't ruin it.

    I saw my first Selfie Stick in the wild the other day and I had to resist all temptation to shove it up the owner's arse. Taking a selfie is narcissism one step too far but going out to buy a tool in which to do it is somewhat frightening.

    Perhaps this bitterness is born from the fact that I have the face for (silent) radio...

    1. TheProf
      Thumb Up

      Take 2

      " If one is in front of a wonderful view then take that view but don't ruin it."

      Well one could take two pictures. One of the wonderful view and one of oneself with the wonderful view in the background..

      The funny thing is, most people like looking at images of other people. Yes, silly isn't it. There they are sitting in front of the Taj Mahal and all anyone wants to look at is the happy couple.

      Another funny thing, most great painters thought nothing of painting a self-portrait.

    2. Francis Boyle Silver badge

      On the other hand what's the point in taking the same photo that literally millions of others have taken before you. Unless you're a professional photographer, you're taking pictures to make a record of the (hopefully) happy moments of your life. Maybe that's narcissistic but it's also very human and as far as I can see harmless.

    3. Dr Spork

      It's a "social media" thing: Billions of miserable pathetic wretches desperately vying to convince their "friends" that their own miserable and pathetic existences are less miserable and pathetic than those " friends' " miserable and pathetic existences.

      Post a snap of the M25 flyover and it's just a snap of the M25 flyover... but... post a snap of *yourself* at the M25 flyover and suddenly it's a different thing entirely: Look! I've "been to" the M25 flyover! OMG! Who's livin it now!!! Suckers!!!!! Don't you SOOOO wish you were me?!!!!!!one

      1. Horridbloke

        @Dr Spork

        An M25 flyover selfie would be pretty underwhelming, but the photo used in the article features Wat Rong Khun, a temple in Northern Thailand. There's lots of strange and beautiful stuff in that corner of the world that justifies snapping a memento.

        I'm unsure why people get so upset about selfies. Compare them to the bad medical tips, ropey politics, phrases that might pertain to football and the mild-to-moderate racism that spews up on most people's facebook walls. Self-portrait photos are among the least-offensive items on social media.

        Is it the selfie stick that irks people? The last time I was at Heathrow I was walking just behind a group of lads filming themselves on a go-pro-on-a-stick as they walked to their gate. It seemed silly but is that really worth getting annoyed about?

    4. Anonymous Coward
      Anonymous Coward


      I think I'll get myself a selfie stick for the sole purpose of winding up people like you.

    5. Anonymous Coward
      Anonymous Coward


      Well if that's the first time you have seen a selfie stick in the wild, then you I guess you don't get out much.

      1. BongoJoe

        Well if that's the first time you have seen a selfie stick in the wild, then you I guess you don't get out much.

        Or I tend to go to the right sort of places where bearded narcissists don't venture.

    6. Anonymous Coward
      Anonymous Coward

      I have never understood selfies. If one is in front of a wonderful view then take that view but don't ruin it.

      Neither have I. Fortunately I normally tend to carry a slightly better camera around (nothing too fancy, just a Lumix FZ200 which madly conditional menu structure makes me suspect Panasonic employs a Microsoft UI engineer), and that weighs just too much for any selfie stick temptation :).

      I take an image because I want to preserve a memory or a sight. I see my own face fairly regularly when shaving, and most of my friends also know what I look like..

      1. The Packrat

        Instead of asking a stranger to take a picture of you (and whomever else) in front of whichever attraction (or personage) using your camera, you do it yourself. The problem is that people have taken it to extremes and do it inappropriately, causing damage to surroundings, obstructing others and posing as a general safety hazard.

  6. Blofeld's Cat

    Er ...

    Is that "Kitten Kong" lurking in the background of the accompanying image?

  7. ecofeco Silver badge

    The fun never ends!

    Does it.

  8. Dr Spork

    Somewhat tangentially...

    Anyone any idea what changed between 6.x and 7.0? A look at their (freshly cleaved) website(s) gave remarkably little away, except that they're keeping the 6.x line going as "legacy" - so presumably this isn't just a torvaloid ovine renumeration episode... ?

  9. #define INFINITY -1

    By feeding booby-trapped data – such as a poisoned selfie

    thank you

    1. TRT Silver badge

      Re: By feeding booby-trapped data – such as a poisoned selfie

      Poisoned booby selfie.

  10. energystar

    We users|consumers are so...

    From always known the Trojans within one bit masks. They are now within encrypted one bit masks...

    1. energystar

      Non-trusted renders...

      Should be always added one bit mask noise, as prophylactics.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon