A recent vulnerability found in the open-source ImageMagick library used by Yahoo! to process images could have allowed attackers to view image email attachments. After being reported by security researcher Chris Evans, Yahoo! retired the library and rewarded Evans a $14,000 bounty.
It’s not the first time the ImageMagick library had been found vulnerable: in 2016, a reported vulnerability (CVE-2016-3714) allowed attackers to upload maliciously crafted files to gain a remote shell into vulnerable web servers. The new vulnerability involves using an 18-byte exploit file and attaching it to an email.
Leave a reply