Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service and information disclosure. The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022. That said, an attacker must be able to upload a malicious image to a website using ImageMagick so as to weaponize the flaws remotely. The specially crafted image, for its part, can be created by inserting a text chunk that specifies some metadata of the attacker's choice. "If the specified filename is '-', ImageMagick will try to read the content from standard input potentially leaving the process waiting forever," the researchers said in a report shared with The Hacker News. In the same manner, if the filename refers to an actual file located in the server, an image processing operation carried out on the input could potentially embed the contents of the remote file after it's complete. This is not the first time security vulnerabilities have been discovered in ImageMagick. In May 2016, multiple flaws were disclosed in the software, one of which, dubbed ImageTragick, could have been abused to gain remote code execution when processing user-submitted images. A shell injection vulnerability was subsequently revealed in November 2020, wherein an attacker could insert arbitrary commands when converting encrypted PDFs to images via the "-authenticate" command line parameter.

This Cyber News was published on thehackernews.com. Publication date: Thu, 02 Feb 2023 06:51:02 +0000


Cyber News related to Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility - Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service and information disclosure. The two issues, which were identified by Latin American ...
1 year ago Thehackernews.com
Researchers Uncover Simple Technique to Extract ChatGPT Training Data - Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web? The answer is an emphatic yes, according to ...
10 months ago Darkreading.com
What Is Patch Management? - Containers are created using a container image, and a container image is created using a Dockerfile/Containerfile that includes instructions for building an image. Considering the patch management and vulnerability management for containers, let's ...
8 months ago Feeds.dzone.com
Researchers extract RSA keys from SSH server signing errors - A team of academic researchers from universities in California and Massachusetts demonstrated that it's possible under certain conditions for passive network attackers to retrieve secret RSA keys from naturally occurring errors leading to failed SSH ...
10 months ago Bleepingcomputer.com
Edge Computing: Enhancing Data Processing - Edge computing revolutionizes data processing by bringing computational power closer to where data is generated, enhancing efficiency and responsiveness. Discover how edge computing is reshaping technology and our interactions with it, unlocking a ...
7 months ago Securityzap.com
Docker Image Building Best Practices - Starting with a basic, minimum image is essential when creating Docker images. They let you utilize numerous Docker images throughout the build process, which helps to reduce the size of the final image by removing unneeded build artifacts. Docker ...
9 months ago Feeds.dzone.com
The 20 Most Essential Crypto Bug Bounty Programs - Working with cryptocurrency has become more and more popular in the last few years, but it’s not without risks. It’s important for sites that conduct digital payments and transfers to have security measures in place to help keep your data safe ...
1 year ago Hackread.com
LogoFAIL bugs in UEFI code allow planting bootkits via images - Multiple security vulnerabilities collectively named LogoFAIL affect image-parsing components in the UEFI code from various vendors. Researchers warn that they could be exploited to hijack the execution flow of the booting process and to deliver ...
10 months ago Bleepingcomputer.com
Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security - Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity. For the second straight month, ...
9 months ago Darkreading.com
'GhostRace' Speculative Execution Attack Impacts All CPU, OS Vendors - Researchers at IBM and VU Amsterdam have developed a new attack that exploits speculative execution mechanisms in modern computer processors to bypass checks in operating systems against what are known as race conditions. The attack leverages a ...
6 months ago Darkreading.com
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
10 months ago Darkreading.com
LogoFAIL attack can install UEFI bootkits through bootup logos - Multiple security vulnerabilities collectively named LogoFAIL affect image-parsing components in the UEFI code from various vendors. Researchers warn that they could be exploited to hijack the execution flow of the booting process and to deliver ...
10 months ago Bleepingcomputer.com
Google Researchers' Attack Prompts ChatGPT to Reveal Its Training Data - A team of researchers primarily from Google's DeepMind systematically convinced ChatGPT to reveal snippets of the data it was trained on using a new type of attack prompt which asked a production model of the chatbot to repeat specific words forever. ...
10 months ago 404media.co
UEFI exploit 'worse than BlackLotus' pwns PCs using images The Register - Hundreds of consumer and enterprise devices are potentially vulnerable to bootkit exploits through unsecured BIOS image parsers. Security researchers have identified vulnerabilities in UEFI system firmware from major vendors which they say could ...
10 months ago Go.theregister.com
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
8 months ago Darkreading.com
LLMs Open to Manipulation Using Doctored Images, Audio - Such attacks could become a major issue as LLMs become increasingly multimodal or are capable of responding contextually to inputs that combine text, audio, pictures, and even video. Hiding Instructions in Images and Audio At Black Hat Europe 2023 ...
10 months ago Darkreading.com
LG releases updates for vulnerabilities that could allow hackers to gain access to TVs - Four new vulnerabilities affecting thousands of LG TVs have been found by researchers who said the issues could allow hackers to add themselves as users and take other actions. Researchers from cybersecurity firm Bitdefender said the bugs - three of ...
6 months ago Therecord.media
Revolutionizing WordPress Bug Bounty and Security: Latest Enhancements to the Wordfence Bug Bounty Program - Our team has triaged around 2,140 vulnerability submissions, with about 1,320 deemed in-scope. Together with our researchers and software vendors, we've protected millions of websites from vulnerabilities - and this is just the beginning. We're ...
4 months ago Wordfence.com
Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector - A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets. Four months ago, researchers from ...
10 months ago Darkreading.com
Misconfigured Firebase Instances Expose 125 Million User Records - Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn. It all started with the hacking of Chattr, the AI hiring system that serves multiple ...
6 months ago Securityweek.com
Microsoft Gives Admins a Reprieve With Lighter-Than-Usual Patch Update - In what's sure to be a refreshing break for IT and security teams, Microsoft's monthly security update for December 2023 contained fewer vulnerabilities for them to address than in recent months. The update included fixes for a total of 36 ...
10 months ago Darkreading.com
New Malware Uses Fileless Technique to Deploy Ransomware - The group behind the Windows Gootloader malware, known as UNC2565, has effectively modified the code to make it more intrusive and difficult to detect. Researchers at Mandiant noted UNC2565 started making significant adjustments to its operational ...
1 year ago Cybersecuritynews.com
Google DeepMind Researchers Uncover ChatGPT Vulnerabilities - Scientists at Google DeepMind, leading a research team, have adeptly utilized a cunning approach to uncover phone numbers and email addresses via OpenAI's ChatGPT, according to a report from 404 Media. This discovery prompts apprehensions regarding ...
10 months ago Cysecurity.news
Hackers use new IceBreaker malware to breach gaming companies - Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker. The compromise method relies on tricking customer service agents into opening malicious ...
1 year ago Bleepingcomputer.com
Meta AI Models Cracked Open With Exposed API Tokens - Researchers recently were able to get full read and write access to Meta's Bloom, Meta-Llama, and Pythia large language model repositories in a troubling demonstration of the supply chain risks to organizations using these repositories to integrate ...
10 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)