On a brighter note, apple is currently in the process of converting almost all iMessage components to Swift for this reason. I'm sure it is taking many engineering hours, and image parsers/open source libraries like this are the most difficult to convert.
Just one component, the one that parses incoming messages. The problem here is that it parsed the message and decided to pass it to ImageIO, which is written in C++.
I’m only a few more CVE’s from advocating C++ and Objective(ly)-C(rap) proponents be subject to registration and public humiliation whenever the (inevitable) next issue occurs.
I get it, legacy crap has momentum and you can’t ignore that. What’s not ok is the mountain of people who pretend that’s not a problem.
It takes an expert to know that there's vulnerability. Whereas construction engineer can "see" the pothole and so they can fix it. Software engineer has to "know from exploits" that there's a vulnerability so they can fix it. It's not far away when OS are written in memory safe languages like Rust.
It's more complex to find security bugs, yes, but I think the analogy stands.
In order for a construction engineer to "see" a pothole, they need to actually know where the pothole is and physically go there.
When you have millions of kilometers of paving across a continental-sized country, like the US or China, for example, this is unfeasible. "Seeing" a pothole isn't so simple as it might give you a first impression...