Ghostscript Vulnerability

Google Project Zero security researcher Tavis Ormandy discovered a vulnerability in Ghostscript, a widely adopted interpreter for Adobe’s PostScript and PDF page description languages. Ghostscript is embedded in hundreds of software suites and coding libraries, such as ImageMagick, Evince, and GIMP. Exploitation of the vulnerability could allow an attacker to gain control over applications and servers running vulnerable versions of Ghostscript and enable the ability to execute arbitrary commands on a vulnerable system. To exploit the flaw, an attacker would send a malformed PostScript, PDF, EPS, or XPS file to a victim. Once the file reaches the Ghostscript interpreter, the malicious code contained within will execute an attacker's desired actions on that machine. Currently, there is no patch available for the vulnerability. The NJCCIC advises users and administrators to review the CERT/CC Vulnerability Note for additional information, including a list of affected vendors and suggested workarounds, and apply the appropriate patches when available.