Profile security
A v4 ICC profile contains no executable code, but it is still important that developers of profile creation tools and CMMs are aware of problems that could arise from badly-formed profiles.ICC has defined three priorities for profile security:
Process
In the interests of protecting the colour management community from potential security problems, all interested parties are encouraged to send examples, comments, and problems to the Technical Secretary. Where relevant, such cases will be reported to the colour management community through the ICC web site.
Engagement
ICC is committed to giving more attention to this issue. Information on vulnerabilities and how to avoid them will be posted here, together with information about tools to help developers identify vulnerabilities.
Profile scanning
ICC has developed a tool to scan ICC profiles (RGB and CMYK input, output, display and colorspace) in order to find possible exploits. It identifies whether the profile is corrupted in a suspicious way.
The tool is available to ICC members. Vendors of profiling software, and organisations providing profiles to the colour management community, can upload profiles to ICC and receive a confidential report on any issues detected.
Please report any comments or issues to the ICC Technical Secretary.
Android lock screen bug
A rounding error in Java caused smartphones running a version of the Android OS to freeze when an auto-generated ICC profile was embedded in a lockscreen image. For more information, see here.
Malformed profiles
ICC maintains an archive of malformed profiles, with both critical and non-critical errors, for the purpose of testing workflow components.
A selection of these profiles can be found here.
For more information about any aspect of profile security please contact the ICC Technical Secretary.