The bugs in image parsing code, some of which impact open source image libraries and not the ImageIO framework itself, can be triggered through popular messenger applications by sending specially crafted image files to the targeted user. The researchers believe it may be possible to exploit some of the flaws for remote code execution without user interaction.
Google’s researchers identified a total of 14 vulnerabilities, 5 of which affected Apple’s ImageIO framework, and 9 impacting the OpenEXR library, a high dynamic range (HDR) image file format created for computer imaging applications.