Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Incorrect version detection of Imagemagick

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
ImageMagick Studio LLC
And, this specific program:
ImageMagick 6.x

This thread has been marked as locked.
dickvisser Incorrect version detection of Imagemagick
Member 22nd Mar, 2012 11:17
Ranking: 2
Posts: 15
User Since: 14th Mar, 2012
System Score: N/A
Location: NL
Hi

After being signalled that my Imagemagick 6.7.5-1 was out-of-date, I uninstalled that and then installed the latest version from http://www.imagemagick.org/download/binaries/Image... As the URL shows, this is 6.7.6-1, quality 16 bit pp, static compiled x64 version.
Secunia PSI incorrect detects this as being 6.7.6:


Detected Instances:
C:\Program Files\ImageMagick-6.7.6-Q16\convert.exe, version 6.7.6

Latest Version - patching one or more vulnerabilities:
6.7.6-1


Running the main tool ("convert.exe") clearly says it too:

C:\Users\visser>"C:\Program Files\ImageMagick-6.7.6-Q16\convert.exe" /?
Version: ImageMagick 6.7.6-1 2012-03-14 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2012 ImageMagick Studio LLC
Features: OpenMP

Usage: convert.exe [options ...] file [ [options ...] file ...] [options ...] file

So it looks like PSI mistakenly used the directory name when establishing the version...

Thanks.



M.Rehman RE: Incorrect version detection of Imagemagick
Secunia Official 22nd Mar, 2012 14:56
Score: 25
Posts: 41
User Since: 12th May 2011
System Score: N/A
Location: Copenhagen, DK
Hi,

There is an issue in this software.

The issue is, that the vendor is providing the same version information in both version 6.7.6-0 and 6.7.6-1.

The vendor is not updating the "-x" number, which means that every version of the 6.7.6 branch has the same version information.

We have looked at all the .exe files for the software as well as all the .dll files, and are trying to figure out a way of taking care of this issue, but most likely, we will not be able to solve this until the vendor starts giving the whole version number in the file information for the software files.

Hope you understand.

--
Kind regards,

Munib Rehman
Secunia Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
dickvisser RE: Incorrect version detection of Imagemagick
Member 22nd Mar, 2012 15:38
Score: 2
Posts: 15
User Since: 14th Mar 2012
System Score: N/A
Location: NL
I've just reported this as a bug, hope someone there picks it up:
http://www.imagemagick.org/discourse-server/viewto...
Was this reply relevant?
+2
-0
macox RE: Incorrect version detection of Imagemagick
Member 25th Mar, 2012 12:24
Score: 1
Posts: 6
User Since: 25th Mar 2012
System Score: N/A
Location: LU
Sorry, but I disagree. While it is bad practice of iMamgemagic to not update the version string for small changes, I still consider it a Secunia bug to expect a version number not actually used by the vendor. If Secunia isn't able to use other information from the signature in the executable (like for example the build date which allows distinguishing the 2 versions).
Was this reply relevant?
+1
-1
Maurice Joyce RE: Incorrect version detection of Imagemagick
Handling Contributor 25th Mar, 2012 12:51
Score: 11626
Posts: 8,915
User Since: 4th Jan 2009
System Score: N/A
Location: UK
PSI reads metadata. From other threads U have posted to it is clear U have no idea how Secunia reads vendor data to scan & produce a user report.

http://secunia.com/vulnerability_scanning/personal...

If U consider there are others ways to accurately portray this detail where is the syntax.

Secunia should not have to consider or make allowances for errors created by lazy vendors.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-2
macox RE: Incorrect version detection of Imagemagick
Member 25th Mar, 2012 21:04
Score: 1
Posts: 6
User Since: 25th Mar 2012
System Score: N/A
Location: LU
I'm sorry to disappoint you, but I see clearly how Secunia operates. Your so called "metadata" is in reality the information contained in the "VERSIONINFO" resource right inside the executable.
Unfortunately, this version information is just a text string and there is no official rule what this version must like like. What makes things worse is that sometimes, the internal version string of the VERSIONFO resource is different from the version number as displayed to the user. This has already resulted in some false positives with Secunia in the past. However these false positives have always been resolved by Secunia updating their signatures to the actual version string of the software. Examples of this are (at least) 2 false positives on Novell iPrint in the past and currently a false positive on LibreOffice (which I hope will soon be fixed).

This case here is of course more difficult than the LibreOffice case because this time we have a duplicate version string between 2 different versions.

I see 2 logical ways for Secunia PSI to handle version string problems:

1. I don't know if Secunia uses an additional method of determining the version of a program. If yes, this additional information should be used to break the tie. If not, bad luck.

2. Secunia should never "require" a version string that does not exist, but use the version string of the "good" version. In the case of LibreOffice for example, Secunia should consider 3.5.0.102 as the latest version from the versions tring point of view and not 3.5.1. Similarly, it should consider 6.7.5 as the latest version string for ImageMagic. Secunia can't require a version string that simply does not exist in a file. The bad thing about using version string 6.7.5 would be not to be able to detect the good versus the bad version, but *this* would be ImageMagic's problem. However as long as there does not exist a version string 6.7.5-1, Secunia can't request that version string.

So I would say that if Secunia PSI does not have any any additional way of determining the version of a file beside the version string, then the logical choice for cases like this would to "fail" to detect the bad version. After all, Secunia does not warn about vulnerable software with no fix either. So this would be the more consitent behaviour and would avoid unnecessary panic of the users.
Was this reply relevant?
+1
-1
Anthony Wells RE: Incorrect version detection of Imagemagick
Expert Contributor 25th Mar, 2012 21:26
Score: 2428
Posts: 3,317
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 25th Mar, 2012 21:28
Hello ,

The "metadata" is anything that Secunia can read and rely on as a file source . Often the main .exe file is not updated and so Secunia look for a file they can upload :eg: a .dll and use this to identify the version loaded on your system .

Here is a current example :-

http://secunia.com/community/forum/thread/show/123...

and the same will apply to Libre Office when Support get around to updating their rules (hopefully on Monday) and find a file in a fully patched version that matches their remit .

Their system is one that they rely and it works for them ; so if a vendor does not/cannot supply the relevant data within the programme that is the vendor's problem . Secunia often discuss these things with the vendor (direct or via a user) whenever possible . Mountains and Mahomet spring to mind .

EDIT: metadata :-

http://en.wikipedia.org/wiki/Metadata

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
davidows RE: Incorrect version detection of Imagemagick
Member 30th Mar, 2012 01:52
Score: 16
Posts: 30
User Since: 24th Apr 2008
System Score: 100%
Location: US
macox is only embarrassing and disappointing himself/herself. Better to be thought a fool than to open ones mouth and remove all doubt.

macox doesn't have ANY clarity WRT to "how Secunia operates" and it's NOT [their] "so called 'metadata'" anyway. Metadata is a commonly used IT term for embedded descriptive data regarding an object.

There IS a common sense practice (not an official rule) that the vendor should not publish a file with a security patch, or any other hotfix, using the same complete version number as the unpatched file. After all, what's the purpose of version numbers in metadata anyway. It's to indicate the order of releases by means other than the file date, which can easily be changed either deliberately or inadvertently by the user or some miscreant.

In the case of Imagemagick, Secunia is not "requiring" a "a version string that does not exist". It simply exists in an inappropriate field of the file properties, i.e. the "Comments" section, not the "File Version", nor the "Product Version".

macox isn't clear as to which version he/she claims the user "sees" either. Perhaps macox thinks users only know how to check The Version Number, as displayed in the Help/About dialog. macox should try looking at the File Properties dialog, where all three of the above are visible.

We aren't referring to 6.7.5 anyway. The current (patched) version is 6.7.6-1, as identified in the Comments field of the windows file property dialog. Just because Secunia doesn't flag software with unpatched vulnerabilities, that's no reason for PSI to ignore an item for which there is a patch, even if the lame and lazy vendor only bothered to indicate the different version in the Comments, rather than either the File or Product Version metadata.

Was this reply relevant?
+0
-0
erix53 RE: Incorrect version detection of Imagemagick
Member 30th Mar, 2012 09:27
Score: 18
Posts: 24
User Since: 30th Mar 2012
System Score: N/A
Location: IT
Discussion apart, have the authors of ImageMagick been notified of this problem?

Having a PSI false positive is rather annoying, as the yellow icon makes spotting other problems less obvious; on the other hand, disabling ImageMagick check would be bad security practice.
Was this reply relevant?
+0
-1
Maurice Joyce RE: Incorrect version detection of Imagemagick
Handling Contributor 30th Mar, 2012 09:47
Score: 11626
Posts: 8,915
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Yes - @dickvisser has done that on a post above.

I've just reported this as a bug, hope someone there picks it up:
http://www.imagemagick.org/discourse-server/viewto...


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
erix53 RE: Incorrect version detection of Imagemagick
Member 30th Mar, 2012 10:01
Score: 18
Posts: 24
User Since: 30th Mar 2012
System Score: N/A
Location: IT
on 30th Mar, 2012 09:47, Maurice Joyce wrote:
Yes - @dickvisser has done that on a post above.


Oops... and I read all the thread. Short term memory failure. Sorry for the noise.
Was this reply relevant?
+1
-0
erix53 RE: Incorrect version detection of Imagemagick
Member 2nd Apr, 2012 18:21
Score: 18
Posts: 24
User Since: 30th Mar 2012
System Score: N/A
Location: IT
6.7.6-3 and still the same exe version number.
I too filed a bug report with ImageMagick, I hope they'll fix it.
Was this reply relevant?
+1
-0
mabloo RE: Incorrect version detection of Imagemagick
Member 4th Apr, 2012 08:38
Score: 1
Posts: 1
User Since: 4th Apr 2012
System Score: N/A
Location: DE
Hello,
sorry for my bad english!
I find PSI a very useful Tool. But one really disturbing thing are the false alarms like Imagemagick and OpenOffice.
The problem ist the yellow symbol of PSI. So new real threats are not seen.
Would it be possible to implement a function:
The User can manual mark the insecure aplication as "fixed by the user" or similar.
To avoid future problems this could be for a limited time only, say 24 hours.
So the yellow Symbol would give the false warning only once a day.

Hope my post was possible to understand.
Bye,
Was this reply relevant?
+1
-0
davidows RE: Incorrect version detection of Imagemagick
Member 9th Apr, 2012 08:37
Score: 16
Posts: 30
User Since: 24th Apr 2008
System Score: 100%
Location: US
I have also poked ImageMagic about the problems their practices are causing, and cross posted it in the developers forum, since it didn't get us anywhere in the bugs forum.
Was this reply relevant?
+0
-0
djk RE: Incorrect version detection of Imagemagick
Member 10th Apr, 2012 17:02
Score: 1
Posts: 2
User Since: 23rd Jun 2010
System Score: N/A
Location: US
This is the response ImageMagik replied to me with concerning the version not being correct. I understand they are volunteer project and see them using that as a response as unfortunate as it is. I also agree Secunia might want to use additional data points to fully confirm issues and avoid the false positive noise and having the issue marked ignore and never getting updated.

ImageMagik response:

"We've gotten a number of reports about this issue. Secunia is producing a
false positive. We consider that a bug in Secunia, not ImageMagick. It is
not our policy to alter ImageMagick to make other vendors lives easier."

"We currently have over 1000 items on our to-do list and have a small
development team. Consider that Secunia is funded. We're a volunteer
organization and we all have regular jobs. We will update the version
string at some point but currently do not have an time nor an ETA."
Was this reply relevant?
+1
-0
erix53 RE: Incorrect version detection of Imagemagick
Member 10th Apr, 2012 17:25
Score: 18
Posts: 24
User Since: 30th Mar 2012
System Score: N/A
Location: IT
on 10th Apr, 2012 17:02, djk wrote:

ImageMagik response:

"We've gotten a number of reports about this issue. Secunia is producing a
false positive. We consider that a bug in Secunia, not ImageMagick. It is
not our policy to alter ImageMagick to make other vendors lives easier."


I saw that too and I was looking for a pragmatic solution; perhaps I found one.

It is of course unreasonable for Secunia to write ad-hoc version detection code for each known application, more so if it involves executing the program just to get its version.
On the other hand, I can understand ImageMagick authors' viewpoint.

So here is a low-cost proposal: when hovering over the systray icon, instead of showing:
"You have programs that require manual updates"
PSI could say:
"You have *n* programs that require manual updates"

Some additional visual feedback would of course be welcome, but at least we wouldn't have to open PSI and type the admin password just to know if something changed from last time we checked.
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability