Subj : Using the wrong font could be a major security problem  and possi
To   : All
From : TechnologyDaily
Date : Fri Mar 08 2024 18:00:06

Using the wrong font could be a major security problem  and possibly not for 
the reason you might think

Date:
Fri, 08 Mar 2024 17:57:30 +0000

Description:
Fonts are a less obvious attack surface, but these three CVEs prove that you 
should consider all potential vulnerabilities.

FULL STORY
======================================================================

An investigation by Canva deep dive into the world of font security has 
uncovered three unexpected vulnerabilities and revealed how choosing the 
wrong font could spell out a cybersecurity disaster. 

In an effort to enhance the security of its tools, Canva has been researching 
less-explored attack surfaces, including fonts , which play an integral part 
in graphics processing. 

A trio of vulnerabilities have been highlighted in a report entitled Fonts 
are still a Helvetica of a Problem", with Canva ultimately declaring that the 
font landscape is actually quite rich in attack surfaces. Canva is concerned 
about the font you use 

The first vulnerability, tracked as CVE-2023-45139, was discovered in 
FontTools, a Python library for manipulating fonts. Canva found that when 
processing an SVG table to subset a font, FontTools could use an untrusted 
XML file, leading to an XML External Entity (XXE) vulnerability. 

The researchers abused this vulnerability to produce a subsetted font 
containing an SVG table with an /etc/passwd payload. FontTools released a 
patch three days after being notified of the vulnerability in September 2023. 

The other two vulnerabilities, CVE-2024-25081 and CVE-2024-25082, both rated 
at 4.2/10, were associated with naming conventions and font compression. 
Canva found the potential for command injection when dealing with filenames 
in tools like FontForge and ImageMagick. Both have also been addressed. 

Acknowledging the timely work of open-source font software and tool 
maintainers, Canva noted that IT workers should treat fonts like any other 
untrusted input by implementing sandboxing and using tools like 
OpenType-Sanitizer. 

This isnt the first time that font security has been raised, with Google 
exploring similar issues nearly a decade ago, however with the increased 
prevalence and more severe consequences of cyber attacks, Canvas 
recommendation that we pay attention to less obvious attack surfaces is a 
mighty sensible one. More from TechRadar Pro Check out the best endpoint 
protection tools for keeping your business safe Cloudflare launches new fight 
against Google over...fonts? Fancy an upgrade? These are the best business 
laptops and best mobile workstations



======================================================================
Link to news story:
https://www.techradar.com/pro/security/using-the-wrong-font-could-be-a-major-s
ecurity-problem-and-possibly-not-for-the-reason-you-might-think


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.