Re: Fonts and security

On Wed, Jul 29, 2009 at 2:39 PM, John Daggett<jdaggett@mozilla.com> wrote:
> As with the Chrome team, when the subject of supporting downloadable fonts in Firefox was brought up the primary concern was security.  I've had discussions other developers passionately arguing against this feature for that very reason.  That's why a linked font is used with caution, never affects text outside the page that links to that font and is never installed as a system font, ever.
>
> I'm sure in the future there will be browser attacks where fonts are part of the attack.  That's why it's important for font vendors and authors to *always* report fonts that cause platform crashes of any kind, no matter how obscure, because that might be an exploitable attack vector.  And that includes areas that seem far removed, like complex script handling.  If anything, these areas are more vulnerable because they are more complex and less rigorously tested.  Sometimes it's difficult to get OS vendors to respond because these situations seem like "edge cases" of lower priority but it's the nature of the crash not the obscurity that determines it's potential as an attack vector.
>
> Another thing to point out is that embedded document formats like PDF have the same problem with slightly different ripples.

All true.

Having been on that side of the fence (with the people making font
rasterizers and sharing vulnerability info back and forth, and even
sharing code/patches), I can attest that the font imaging
infrastructure used by Mac OS, Windows and Acrobat/Reader is ever more
stable and secure. I would never say "perfect" or "bulletproof," but
it is pretty darn good.

That being said, of course font rasterization and text layout is an
area vulnerable to malicious fonts. But there are much more fruitful
areas for people of ill-will to look for exploits.

Regards,

T

Received on Thursday, 30 July 2009 02:21:24 UTC