A Pretty Tragick Picture

Because it’s been a while since things got really interesting, the vulnerability gods have decided to amuse themselves with the announcement of a new issue. It affects a lot of websites and lets attackers have all sorts of not-fun-for-you fun in your system. Here’s what you need to know.

The vulnerability’s in a popular software tool called ImageMagick; the good news is that there’s a great name for it – ImageTragick…unfortunately that’s about where the good news ends.

It’s a widely-used image processing library that – in the super technical words of one of our engineers – lets you ‘mess around with pictures’. If you upload a picture to a website, there’s a decent chance that ImageMagick’s involved somewhere.

It’s supported by PHP, Python and a hecktonne of other languages, and a lot of content management systems like WordPress rely on it to resize images.

The guy that discovered it tried to keep it on the down-low until a patch was issued but it was quickly figured out, so it’s now in the wild. Technical name is CVE-2016-3714 if you’re into that sort of thing and want to go do a bit of extra research.

ImageMagick has announced that it will be issuing a patch for the vulnerability over the weekend, so keep your eyes peeled people.

If any UKFast customers have any concerns in the meantime just drop our team a call.