Metasploit modules will be released on Wednesday Tuesday afternoon, Slack security engineer Ryan Huber posted a brief warning on Medium surrounding vulnerabilities in ImageMagick, an image manipulation suite installed on millions of web servers.These flaws, which are being actively exploited by criminals, leave websites vulnerable to a complete takeover.“There is some irony in disclosing vulnerabilities affecting an image processing package and not giving them logos, but here we are…,” Huber wrote, softening the blow some.Humor aside, the issue is serious. Millions of web servers have ImageMagick compiled along with PHP, but the vulnerability is also present on servers where the library is compiled with Ruby (rmagick and paperclip) and NodeJS’s ImageMagick. “Attackers are exploiting the issue by uploading malicious images to web applications that use the ImageMagick library to process them. There is a ton of attack surface,” said security researcher and Metasploit founder HD Moore.On Wednesday, Moore said, Metasploit modules for the vulnerabilities will be released. It should be noted that Rapid7 was not involved in the discovery or disclosure of the ImageMagick problems. In all, it’s expected that four CVEs will be issued around this flaw. For now, the only known identifier is CVE-2016–3714, and if a name has to be associated with it, Huber suggested ImageTragick. Additional details on the vulnerability will be posted later to the ImageTragick domain.There are patches coming, but the disclosure came first because the flaws are being actively exploited. Until they’re released, administrators can mitigate the problem by editing policy.xml. Details were posted on the ImageMagick forum Tuesday afternoon.Another possible mitigation is to verify that images start with the correct “magic bytes” or signatures, before being passed to ImageMagick for processing. A full list of “magic bytes” for most common file types is available on Wikipedia.According to Huber, the mitigations are effective against all exploit samples observed so far, but there is no guarantee they will eliminate all attack vectors. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe