Ghostscript Zero-Day Allows Full Server Compromises

Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks. From a report: Published by Vietnamese security researcher Nguyen The Duc, the proof-of-concept code is available on GitHub and was confirmed to work by several of today's leading security researchers. Released back in 1988, Ghostscript is a small library that allows applications to process PDF documents and PostScript-based files. While its primary use is for desktop software, Ghostscript is also used server-side, where it is typically included with image conversion and file upload processing toolkits, such as the popular ImageMagick. The proof-of-concept code released by Nguyen on Sunday exploits this latter scenario, allowing an attacker to upload a malformed SVG file that escapes the image processing pipeline and runs malicious code on the underlying operating system. While Nguyen released the public exploit for this bug, he is not the one who discovered the vulnerability.

Read more of this story at Slashdot.