Thursday | May 15 2025 |

No Patch Available Yet for New Major Vulnerability in Ghostscript Interpreter

BW Online Bureau Aug 23, 2018

It has been reported that Tavis Ormandy, a Google Project Zero security researcher, has revealed details about a new major vulnerability discovered in Ghostscript, an interpreter for Adobe's PostScript and PDF page description languages.

Ghostscript is by far the most widely used solution of its kind. The Ghostscript interpreter is embedded in hundreds of software suites and coding libraries that allow desktop software and web servers to handle PostScript and PDF-based documents.

Steve Giguere, lead EMEA engineer at Synopsys, said: "As noted in the vulnerability report, Ghostscript is used pretty much everywhere and has been for a very long time.  Packages like GIMP (a Photoshop alternative - but more important for web applications) and ImageMagick are prevalent, to the extent of being standard for the processing of PDF files.  The exploit has the potential for file system access, leading to sensitive data leaks and more, as it can be the beachhead opportunity for a more comprehensive data breach.

"This Ghostscript exploit is a premium example of cascading dependencies on open source software packages, where the dependency of a core component may not be easily upgraded.  Even when a CVE is associated with something like this, and a fix available, there will be a secondary delay whilst packages which incorporate this into their own software like ImageMagick release a version with a fix.

"This creates a second level of potential delay.  Not only does protection against this rely on the authors fixing the defect at source quickly, it then relies on its incorporation into its next level usage and then again into websites and applications which in turn use that.  This could create a significant window of opportunity for malicious actors to weaponise it. 

"In the short term, the advice to start disabling PS, EPS, PDF and XPS coders by default is the only defence - until a fix is available.  Until then, lock your doors and maybe read paper copies!"

Also Read

SECURITY
Sep 11, 2024
CIA’s CIO La’Naia Jones Discusses AI Driving National Security
3 mins read
SECURITY
Aug 27, 2024
OpenAI backs California's AI legislation mandating "watermarking" of synthetic material.
2 mins read
SECURITY
Sep 08, 2021
Wipro and Securonix Announce Partnership to Deliver Managed Security Services
3 mins read
SECURITY
Jun 16, 2021
Factors To Consider For The Security Of Cloud Infrastructure
5 mins read
SECURITY
Feb 25, 2021
Digitalization Brings Forth A New Area Of Expertise For CFOs: Cybersecurity
5 mins read
SECURITY
Dec 29, 2020
Cybersecurity Tips For The Household CIO Of 2020
4 mins read

Subscribe to our newsletter to get updates on our latest news