Yahoo banishes ImageMagick software after it was found vulnerable to data exfiltration

Yahoo has reportedly banished its use of ImageMagick, an image processing software which contained two vulnerabilities that could exploit the user’ s content in an unauthorized way from the memory of the Yahoo’ s private server.

Security researcher Chris Evans was the one who discovered the vulnerabilities and named the two vulnerabilities as Yahoobleed #1 and Yahoobleed #2, because they evoked the memories and used the data from the leaked server content.

The Yahoobleed #1 is a zero-day ImageMagick bug that specifically resided in the RLE (Run Length Encoded) image format. Yahoobleed #1 was caused by an " uninitialized image decode buffer" that was " used as the basis for an image rendered back to the client," Evans explained in his blog post. This vulnerability leaks server-side memory.

The Yahoobleed #2 affected Yahoo thumbnailing servers, which contains a two year old out-of-bounds error in ImageMagick’ s SUN decoder. To test out this vulnerability, Evans wrote a 40-byte SUN exploit file that exfiltrated a JPEG compressed file, from which he was able to recover raw bytes of data.

Evans further explained that seeing a random face in the JPEG file attachment that he sent to himself to test out Yahoobleed #1 spooked him out and he destroyed all files based on uninitialized memory and reported the bug to the developers of the ImageMagick.

Yahoo has paid Evans $14,000 for his work, which he plans to donate to the charity. Evans himself has been authored to fix this vulnerability.

Tag : ImageMagick Breach-vulnerability
FAQ
Q
Does Yahoo Mail automatically share my messages with anyone else?
A
Your messages are shared only with the people you want. Yahoo may anonymously share specific objects from a message with a 3rd party to provide a more relevant experience within your mail. For example, Yahoo may share a package tracking number with the shipping company so that you can easily see when your package will arrive, or may share your flight number with your airline to enable flight notifications within your inbox.
Q
Can I use Yahoo Mail and still opt-out of interest-based ads?
A
Yes. Yahoo Mail respects your choice to opt out of interest-based ads. Bear in mind that your opt-out will also apply to certain other products we offer including analysis of communications content for advertising purposes, receiving interest-based content and the receipt of data from partner sites for our analytics products. Depending on your locale, you can easily exercise this choice here, or find it via links within Yahoo Mail, as well as footer and icon links available throughout Yahoo.
Q
Does Yahoo Mail automatically share my messages with anyone else?
A
Your messages are shared only with the people you want. Yahoo may anonymously share specific objects from a message with a 3rd party to provide a more relevant experience within your mail. For example, Yahoo may share a package tracking number with the shipping company so that you can easily see when your package will arrive, or may share your flight number with your airline to enable flight notifications within your inbox.
Q
How does Yahoo Mail message analysis work?
A
Yahoo’s automated systems analyse all communications content (such as Mail and Messenger content including instant messages and SMS messages) and all photos and other content uploaded to your account to, without limitation, provide personally relevant product features and content, to match and serve targeted advertising and to ensure spam and malware detection and abuse protection. This analysis occurs on all communications content as it is sent, received and when it is stored, including communications content from services synced with your Yahoo account.
Q
where to get the security response time window?
A
In a rare security “win” for Yahoo, which is still reeling from pair of damaging data breaches that affected hundreds of millions of accounts, the company earned the kudos of Evans for responding decisively to his vulnerability disclosures within the company’s self-imposed 90-day response time window.