I got curious about how to scan or assess the risk of a particular font file before deploying it to hosts. First line of defense, of course, is to make sure that our hosts are patched against any TrueType font vulnerabilities.
I read the excellent research from Google Project Zero and it seems like it is worth understanding risks from fonts. I also read the answer from Tom Leek that suggests (very sensibly) trying the font on Linux before trying it on Windows because:
it would be very hard to craft a "malicious font" which can install a virus on a Windows system, but otherwise works "correctly" on a Linux system
Finally, I installed a python library (FontTools) that allows a conversion from a .ttf to a human-readable .xml file. In the resulting file, there are hundreds of lines of assembly code as a "hinting mechanism" exists in each .ttf file. It is into this assembly code that an attacker would insert exploits.
For further investigation, I would like to compare a known bad .ttf file, like the ones that were used to exploit font handling vulnerabilities, with a known good .ttf files. I imagine it would be difficult to spot the differences without intimate knowledge of assembly, but I'd like to have a look, or at least hear from someone here if such a thing is possible. So, the question is: does anyone know of a way to analyze .ttf files for suspicious commands and does anyone know where to get a .ttf file used to exploit font handling vulnerabilities.