Prediction: Old School Exploits for Image Formats Will Come Back

Morey Haber, Chief Technology Officer
August 24th, 2017

Exploits for Image File Formats Will Come Back

Apple has announced a brand-new image format that will be available in iOS 11. It is called HEIF (High Efficiency Image Format), and is designed to be a high compression format used for burst photographs to replace JPG. Apple’s primary goal in introducing this new format is to save space on mobile devices, but there is a risk with this concept.

Ask yourself when the last time a new image format was released. We have standardized on JPG, PNG, TIFF, BMP and other formats. It literally has been years since a new format has been released. During this span, utilities, operating systems, and photo programs have systematically closed vulnerabilities in all of these formats making them a vector for exploitation a null point. There has not been a new widespread exploit on these formats in a very long time.

What is the Impact?

With the creation of a new format, that is expected to be widely used, everyone will need to update their operating system, mobile devices, utilities, photo programs, and even preview services used in cloud storage to view the images. The chances of any manufacturer making a mistake in their code to open and process these images is real – thus it is likely we will see a new round of vulnerabilities and image exploits against individual applications (and potentially the operating system itself) simply due to a new file format to process.

While some of my peers may balk at this prediction, it will only take one critical vulnerability to make this prediction come true. Any time we make a change of this magnitude there is risk. The file format will be standardized by Apple but it will be up to everyone else to provide compatibility for the new format. Coding mistakes – from buffer overflows to image rendering exploits – will prove whether we should consider the security ramifications anytime we introduce a new file format and standard that will be ubiquitously used almost everywhere.

How to Prepare

There is a small shimmer of light in this prediction. BeyondTrust’s Retina vulnerability management solutions will be updated with any audits necessary to identify vulnerable applications that require remediation. In addition, PowerBroker privileged access management can provide application control (via whitelisting, blacklisting and greylisting) to isolate identified vulnerable applications through patented Vulnerability Based Application Management (VBAM).

While I truly hope this prediction only sees minimal success, I must stress to all organizations that plan to use this new format that an old school risk may reappear and we should be prepared and continue to be vigilant.

Contact us today if you need to perform an vulnerability assessment in your environment.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.