Reference: CERT-EU Security Advisory 2016-124 Title: Critical vulnerability in ImageMagick allowing remote code execution Version history: 04/05/2016 Initial publication. Summary: ======== On May 3rd, 2016, security researchers reported several bugs in ImageMagick [1], a package commonly used by web services to process images. [2][3] One of the vulnerabilities can lead to remote code execution (RCE) if a website process user submitted images. This vulnerability is referenced by CVE-2016=E2=80=933714. Products Affected: ================== Affected versions of ImageMagick are all versions prior to: 7.0.1-1 and 6.9.3-10. A Proof Of Concept is available [4] Recommendations: =============== Update ImageMagick to the latest version. A workaround is to add an extra check for valid "magic bytes"= in uploaded images before their processing and/or editing the policy file to disable the vulnerable ImageMagick codecs. [2] References: ========== [1] https://www.imagemagick.org/script/index.php [2] https://imagetragick.com/ [3] http://www.openwall.com/lists/oss-securit= y/2016/05/03/18 [4] https://twitter.com/Viss/status/727613890020806= 656 Best Regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/e= n/cert_privacy.html