Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva

2024-03-08 03:57

Online graphic design platform Canva went looking for security problems in fonts, and found three - in "Strange places."

Tools like FontForge and ImageMagick can rename filenames of fonts, allowing users to work within a complex naming system to better locate a desired font inside a collection.

The researchers were able to construct a simple proof of concept in the form of a shell execution that allowed FontForge to open files to which it shouldn't have access - which is bad. Fonts are often distributed as archive files - an approach that helps to reduce their size and bundle font families together.

"A vulnerability was discovered when FontForge parses the Table of Contents for an archive file. The TOC is a list of all the files compressed in the archive and FontForge uses this to pull a font file out to perform actions on," explained Canva.

It's a long-standing problem to which Google even took a critical eye back in 2015, when its Project Zero released a series of blogs around font security.

"We hope to see more font security research in the future, because we believe it's an area still lacking in security maturity." .

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/08/canva_font_security/

#australian #security