Hey Dave,
In case you haven't seen it: http://arstechnica.com/security/201...ge-number-of-sites-to-code-execution-attacks/
Basically, disable image uploading (if you can) on the site until you can deploy a fix for this (not sure if it's even available yet). Links are OK, but image uploads could compromise the whole thing.
And anybody else who runs a website, same deal. Not clear from their changelog (http://git.imagemagick.org/repos/ImageMagick/blob/master/ChangeLog) if it's been fixed yet. Appears not, though they mention buffer overflow, so MIGHT be, but hard to tell.
Edit: This thread (https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29594) thinks a fix will be out today, but that's upstream, so who knows how long until you can just "take a fix" for it. Supposedly there's a way to deny the TYPE of image that's vulnerable with a policy XML file that you probably already have, but you'll have to investigate how to do that if that's what you're going to do.
In case you haven't seen it: http://arstechnica.com/security/201...ge-number-of-sites-to-code-execution-attacks/
Basically, disable image uploading (if you can) on the site until you can deploy a fix for this (not sure if it's even available yet). Links are OK, but image uploads could compromise the whole thing.
And anybody else who runs a website, same deal. Not clear from their changelog (http://git.imagemagick.org/repos/ImageMagick/blob/master/ChangeLog) if it's been fixed yet. Appears not, though they mention buffer overflow, so MIGHT be, but hard to tell.
Edit: This thread (https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29594) thinks a fix will be out today, but that's upstream, so who knows how long until you can just "take a fix" for it. Supposedly there's a way to deny the TYPE of image that's vulnerable with a policy XML file that you probably already have, but you'll have to investigate how to do that if that's what you're going to do.
