May 4, 2016

Critical vulnerability in ImageMagick discovered and immediately resolved on our servers

Recently, sources on the Internet reported a critical security vulnerability in the ImageMagick library. ImageMagick is a popular image processing utility for web sites, and it is utilized by many image processing plugins and tools. The vulnerability allows execution of remote code and file manipulation on the server.

Server security is a concern of an utmost importance, and our system administrators are constantly monitoring servers software and security lists, to make sure that our service is as safe as possible.

To mitigate the specific security problem, our system administrators immediately applied ImageMagick policy restrictions on all servers. The additional policy blocks certain ImageMagick features, such as the inclusion of remote data and operations with mvg files. The policy effectively resolves the problem with the specific vulnerability. Although unlikely, it is also possible that the policy would break some features of image processing tools and plugins. Nevertheless, we decided that the benefits of the additional restrictions outweigh the risks, as keeping our customers' data safe is of the highest priority for us.

A secure version of ImageMagick without additional restrictions will be mass-deployed on all servers as soon as it is released by its developers.