Profile securityA v4 ICC profile contains no executable code, but it is still important that developers of profile creation tools and CMMs are aware of problems that could arise from badly-formed profiles.
ICC has defined three priorities for profile security:
In the interests of protecting the colour management community from potential security problems, all interested parties are encouraged to send examples, comments, and problems to the Technical Secretary. Where relevant, such cases will be reported to the colour management community through the ICC web site.
ICC is committed to giving more attention to this issue. Information on vulnerabilities and how to avoid them will be posted here, together with information about tools to help developers identify vulnerabilities.
ICC has developed a tool to scan ICC profiles (RGB and CMYK input, output, display and colorspace) in order to find possible exploits. It identifies whether the profile is corrupted in a suspicious way.
The tool is available to ICC members. Vendors of profiling software, and organisations providing profiles to the colour management community, can upload profiles to ICC and receive a confidential report on any issues detected.
Please report any comments or issues to the ICC Technical Secretary.