Preface: Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code. It is talking about 5 years ago (2016)! Has it become the focus of manufacturers’ attention now?

Background: TIFF offers support for tag extensions allowing for more tags than the standard TIFF specification. For example: Code, 326 (hex 0x0146). Name, BadFaxLines. Used in the TIFF-F standard, denotes the number of ‘bad’ scan lines encountered by the facsimile device.

Reference: Tag code 326 (BadFaxLines) – When using this tag in LibTIFF it is possible to have a type confusion vulnerability where LibTIFF attempts to read a mistyped argument off of the variable argument list.

Vulnerability details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. Crafted data in a TIFF image can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

Remark: By reading the TIFF-pages as BufferedImages, you essentially decompress the stored images, which might need a lot of memory depending on the size of the images: Every pixel will take up 3 (RGB) or 4 (ARGB) bytes.

Vulnerability exploit path: Exploiting this vulnerability requires user interaction, and the target must visit a malicious page or open a malicious file.

Existing status: ZDI notified the vendor of the intention to publish the case as a 0-day advisory on 07/22/21.