- From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
- Date: Tue, 4 May 2010 11:08:38 -0400
- To: Sylvain Galineau <sylvaing@microsoft.com>, Anne van Kesteren <annevk@opera.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
On Tuesday, May 04, 2010 12:34 AM Sylvain Galineau wrote: > > > From: Anne van Kesteren [mailto:annevk@opera.com] > > Sent: Monday, May 03, 2010 6:30 PM > > I don't really see it. If the browser has such a severe bug it would > > need to be fixed immediately. Maybe you can make the scenario more > concrete? > > A font file crafted to exploit a security flaw in an operating system's > font > manager is one. (And this has already happened). > > While they have been supported for a while in some browsers (since IE4 > in our case) > downloadable fonts have not been widely used in practice for a number > of reasons. > With browser vendors now agreeing on a cross-browser format and > implementing support, > higher bandwidth, built-in compression as well as high author interest, > this is > going to change very soon. And that means font decoding and rendering > code that thus > far spent 99.9% of its time processing clean files that came > preinstalled on your hard > drive will now spend an increasing share handling files downloaded from > all over the > Internet. Unlike image decoders, which have been exercised, probed, > exploited and > hardened for over a decade, and which can easily be implemented across > platforms by > a browser vendor, font engines are implemented by the underlying OS > i.e. browsers have > a hard dependency they have very limited control on. > > Second, fonts are more complex than images. Not only do they describe > glyph shapes, > they include runtime opcodes as well e.g. hinting instructions. > > Thus a conservative working assumption is that in the near term, fonts > may be more > prone to vulnerabilities than a plain old PNG. > +1 on everything you mentioned so far, but there is more: Fonts (and SFNT format in particular on which TrueType, OpenType and many other formats are built) have been designed to be easily extensible, which has proven over the years to be a significant benefit - e.g. a new functionality has been added to OpenType fonts without sacrificing backward compatibility with older TrueType font engines. In addition to defining glyph shapes and hinting instructions, fonts now contain language- and script-specific glyph positioning and substitution info, and, hypothetically, can contain any additional data the font vendors may desire to include in a font to support advanced features. This can be added either using already existing tables and mechanisms, or by adding a new custom table. Those engines that were not equipped to handle it would simply ignore the additional tables while more sophisticated rendering engines would be able to take advantage of the presence of additional data. However, this very extensibility feature cold be exploited by an attacker. > And if any font resource can be linked to from anywhere, font-based > exploits are trivial > to abuse. Same-origin enforcement does not eliminate the risk. But it > mitigates it by reducing > it scope to those exploits where the attacker has a high level of > control over the origin. > At which point fonts are only one of the things the attacker can do to > you. > Absolutely agree.
Received on Tuesday, 4 May 2010 15:09:29 UTC