How an uploaded image could take over your website, and how to stop it | Cyber Security

Vulnerability hunter Tavis Ormandy just reported a series of security problems in an application called Ghostscript.

Ormandy works for Google’s Project Zero – he literally finds bugs for a living – and his work is both well-known and renowned…

…but who or what is Ghostscript, and why would someone as skilled as Ormandy feel the need to dig into it?

Well, for many people, Ghostscript is software they’ve never heard of, but probably use or rely upon regularly without even realising it.

Ghostscript is a free, open source implementation of Adobe PostScript, a programming language and ecosystem that powers many printers, and that is the technical underpinning to almost every PDF file out there.

Indeed, if you open a PDF file, or generate one, you’re almost certainly firing up a PostScript runtime environment to execute a PostScript program that describes the document.

Many open source toolkits – image editors, document creators, illustration packages, PDF viewers and more – rely on Ghostscript to do the heavy lifting of text and graphics rendering.

In other words, whether you know it or not, you probably used Ghostscript recently, if not locally on your own computer then remotely on someone else’s servers when you used a cloud service.

Remote code execution and data leakage bugs in Ghostscript are therefore worth knowing about, even if they don’t put you in immediate danger and you have to rely on someone else to sort them out.