Apple has announced a brand-new image format that will be available in iOS 11. It is called HEIF (High Efficiency Image Format), and is designed to be a high compression format used for burst photographs to replace JPG. Apple’s primary goal in introducing this new format is to save space on mobile devices, but there is a risk with this concept.
Ask yourself when the last time a new image format was released. We have standardized on JPG, PNG, TIFF, BMP and other formats. It literally has been years since a new format has been released. During this span, utilities, operating systems, and photo programs have systematically closed vulnerabilities in all of these formats making them a vector for exploitation a null point. There has not been a new widespread exploit on these formats in a very long time.
What is the Impact?
With the creation of a new format, that is expected to be widely used, everyone will need to update their operating system, mobile devices, utilities, photo programs, and even preview services used in cloud storage to view the images. The chances of any manufacturer making a mistake in their code to open and process these images is real – thus it is likely we will see a new round of vulnerabilities and image exploits against individual applications (and potentially the operating system itself) simply due to a new file format to process.
While some of my peers may balk at this prediction, it will only take one critical vulnerability to make this prediction come true. Any time we make a change of this magnitude there is risk. The file format will be standardized by Apple but it will be up to everyone else to provide compatibility for the new format. Coding mistakes – from buffer overflows to image rendering exploits – will prove whether we should consider the security ramifications anytime we introduce a new file format and standard that will be ubiquitously used almost everywhere.
How to Prepare
There is a small shimmer of light in this prediction. BeyondTrust’s Retina vulnerability management solutions will be updated with any audits necessary to identify vulnerable applications that require remediation. In addition, PowerBroker privileged access management can provide application control (via allow listing, block listing and grey listing) to isolate identified vulnerable applications through patented Vulnerability Based Application Management (VBAM).
While I truly hope this prediction only sees minimal success, I must stress to all organizations that plan to use this new format that an old school risk may reappear and we should be prepared and continue to be vigilant.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.