pixel_dreams - Fotolia
When a security researcher discovered an easily exploited vulnerability in an open source library used by millions of websites, his first attempt at announcing was posting it to a blog on Medium. But Ryan Huber was concerned the flaw, which enabled a relatively simple remote code execution attack.
The ImageMagick open source image-processing library is a key component of many Web services and is incorporated in Web coding languages, including PHP, Python, Ruby and Node.js -- and it is present on millions of websites enabled to process images. Huber was concerned the easily exploited flaw would quickly spread in the wild after the initial responsible disclosure.
"The blog was read hundreds of times, but as the hours passed, we became worried that not enough people were aware of the vulnerability. Every script kiddie would have it in their hands soon, but a majority of people had no idea this vulnerability existed," Huber wrote on the website put together to replace the Medium post after the initial disclosure, naming the vulnerability ImageTragick.
"We had thousands of hits in the first 15 minutes," Huber wrote. "We were at the top of hacker news, which a lot of people see. We were getting the word out on something tragickally [sic] simple to exploit. We'd do it again."
Several vulnerabilities in ImageMagick were discovered by Nikolay Ermishkin, a member of the Mail.Ru Security Team and the pseudonymous hacker Stewie, but the most worrisome bug is CVE-2016-3714: It's remotely exploitable, is of low complexity and does not require authentication, user interaction or privileges to be exploited. ImageMagick does not properly filter "file names that get passed to the internal delegates that handle external protocols (like HTTPS)," wrote Daniel Cid, founder and CTO of Sucuri Inc., based in Menifee, Calif. "This allows an attacker to execute his own commands remotely by uploading an image."
Worse, because the ImageMagick libraries are used in so many applications and services, many users may be completely unaware they are affected by the vulnerability, making it all the more important to spread the news of the vulnerability quickly.
The worst part: The vulnerability was already being exploited by unknown threat actors.
Was ImageTragick a case of responsible disclosure?
Despite the celebrity vulnerability brand name, ImageTragick appears to be a responsible disclosure of a serious vulnerability: The researchers reported the vulnerability to, and worked with, ImageMagick prior to their public disclosure, and they waited until ImageMagick released patches before going public. The team also provided details of the vulnerabilities, as well as offering mitigations their website, which itself was updated several times after the initial publication.
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said "the vulnerability got better press after they cooked up a website." While giving the vulnerability a memorable nickname makes it easier for the media to cover, Williams said "the computing public at large has a limited bandwidth to process these sorts of vulnerabilities. We as the infosec community need to make sure that we only heavily publicize those vulnerabilities that are the most impactful to the widest possible community."
"I think ImageTragick meets that definition," Williams said. "The library is embedded in many products and other libraries. The tragic (pun intended) truth is that one of your products may be using ImageMagick without you even knowing it."
"While this is not as egregious as some celebrity vulnerabilities have been in the past, [the ImageTragick researchers] do mention that they branded this in a way designed to get attention and boost their low numbers of blog views," said John Bambenek, manager of threat systems for Fidelis Cybersecurity in Waltham, Mass. "If you are measuring the success of your vulnerability research by Web traffic, you're focused on the wrong things."
"What was good about his release is that it included mitigation steps defenders could take," Bambenek added. "People can read this and take steps to do something about it."
Other lessons learned
As for the infosec community policing itself to avoid overhyping vulnerabilities, Bambenek said "the most credible researchers and the security community at large tend to eventually shun the researchers who generate a lot of unwarranted hype."
Tyler Reguly, manager of the Vulnerability and Exposure Research Team (VERT) at Tripwire Inc., based in Portland, Ore., suggested "the primary lesson here is that a platform like Medium is not the proper place to share important vulnerability information. There are websites, mailing lists and groups that are dedicated to this and would provide a much better delivery method. It's great to see that the researchers in this case learned that quickly, but I feel like this escalated quickly from poor delivery method to branded vulnerability without the middle ground where vulnerability disclosures should occur."
Lane Thames, security researcher from VERT at Tripwire, said: "The security industry does not want to go down a path of being stereotyped as those who 'cry wolf.' Unfortunately, some are heading down that path, as we saw with Badlock."
Central clearinghouse for vulnerability disclosures?
"Unfortunately, there's nothing to stop people from standing up a website with a logo and theme music for a vulnerability that is total BS," Williams said. "We in the industry will have to police ourselves. It would be nice if the media would reach out to other industry experts to get an opinion before hyping the story. I doubt that will happen though, since sensational 'The sky is falling' type [of] news tends to get more clicks than, 'There's nothing to see here.'"
Noting that there is no "central clearinghouse for expert opinions," Williams said "experts who downplay a problem are often not quoted in stories."
"I think the press is best served by locating trusted industry contacts to get a sanity check from. Maybe an infosec Jedi Council of sorts is needed to officially validate whether a particular vulnerability is worthy of naming, hyping, etc."
Reguly said, "We're failing at standardizing disclosures and information sharing. While we've seen successes with standardized identifiers, [such as] CVE, and standardized scoring, [such as] CVSS, we're just not seeing that with disclosures. In order to stay on top of important issues, it's something that we, as an industry, need to address."
John Bambenekmanager of threat systems for Fidelis Cybersecurity
"This is definitely one of the more disappointing aspects of our industry," Reguly said. "We don't have a centralized location for disclosures. You have to monitor a number of mailing lists, vendor websites, blogs, social media and other sources. Ideally, CERT organizations around the world would have a shared page -- or each host their own mirror of a page -- that would allow for disclosure consolidation, giving everyone in the industry a single focal point. Branded vulnerabilities with their own websites is not a maintainable approach and has only worked up to this point due to the media attention given to a website and a graphic over a similarly serious mailing-list post."
"It is good to have some type of mechanism that can be used to quickly and widely disseminate useful information for highly critical vulnerabilities," Thames said. "Herein, however, lays the problem: Who determines that a given vulnerability is highly critical, and how does that entity make the determination?"
Regular patching could help
"We as an industry spend a lot of mental energy and anxiety on zero-days," Bambenek said. "The reality is if consumers and SMBs [small and medium-sized businesses] just patched their OS [operating system] and applications, it would have magnitudes more impact than the release of even the most credible celebrity vulnerability."
"Unlike the Windows OS, which has a great vulnerability notification and lifecycle management program, other OSes don't do such a good job." Williams said. "It's the lesser managed products that need more publicity to force action. But this publicity is only warranted if the sky is truly falling. We can only claim the sky is falling so many times before people stop paying attention."
Learn more about how to take an inventory and secure open source software components.
Find out more about the vulnerability in Java that went unpatched by Oracle for 30 months.