Google Project Zero security researcher Tavis Ormandy has exposed a new vulnerability in Ghostscript, a widely used suite of software based on an interpreter for Adobe Systems’ PostScript and Portable Document Format page-description language.
According to Ormandy, the vulnerability, which was without a CVE identifier or fix at the time of writing, gives an attacker the means to take over applications and servers that use vulnerable versions of Ghostscript by sending victims a malformed PostScript, PDF, EPS or XPS file containing a malicious code. When the file reaches the Ghostscript interpreter, the code will execute on the victim’s machine.
“I really *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default,” Ormandy wrote. “I think this is the number one ‘unexpected ghostscript’ vector.”
Steve Giguere, lead EMEA engineer at Synopsys, said the exploit, with the potential for file system access, could lead to sensitive data leaks and more because it can be the beachhead opportunity for a more comprehensive attack.
“This Ghostscript exploit is a premium example of cascading dependencies on open source software packages, where the dependency of a core component may not be easily upgraded. Even when a CVE is associated with something like this, and a fix available, there will be a secondary delay whilst packages which incorporate this into their own software like ImageMagick release a version with a fix,” he added.
“In the short term, the advice to start disabling PS, EPS, PDF and XPS coders by default is the only defense,” until a fix is available, he concluded.