There are cases of fonts being used for exploiting vulnerabilities (for ex: ThreatPost, SecureList and F-Secure). My question is if you ever get hands on such a font, how do you know that it is malicious?
Asked
Active
Viewed 1.3k times
1 Answers
16
You can know if a font is dangerous by the following method:
- Install a system in a virtual machine.
- Shutdown it.
- From the "outside" (i.e. another OS), access the virtual disk for the VM, and compute a hash value for every single file.
- Restart the VM. In the VM, open the font. Then shutdown the VM again.
- From the outside, recompute the hash values for every single file.
- Compare the two lists of hashes to see what has changed.
If some non-font-related files have been altered, then the font is definitely fishy.
A malicious font is something else. Malice means intent. A file has no mind, thus no intent. A "malicious font" is a font file which has been crafted so that it triggers a bug in the software which will read the font file, such that the consequences of the bug have an effect which is, ultimately, beneficial to whoever crafted the font file that way, and detrimental to the machine owner. This is "malicious" if the font file maker was aware of the bug and did it deliberately; otherwise, it is "just a bug".
In any case, detecting whether a font file is "malicious" is no easier than detecting whether an executable file is "malicious". This means that it cannot be done generically. Instead, we rely on the file source: we are wary of files which come from a source which is not known to be trustworthy.
Since a font is "just data", it can have an adverse effect only when opened with some software which has an exploitable bug in its code. It would be very hard to craft a "malicious font" which can, say, install a virus on a Windows system, but otherwise works "correctly" (as a font) on a Linux system (and vice versa). Since there are much fewer Linux desktop systems than Windows desktop systems out there, opening font files with Linux first, switching to Windows only if the font file looks good on Linux, ought to be "safe" (at least safer than the opposite).
Tom Leek
- 168,808
- 28
- 337
- 475
-
Do you know of trusted locations to source non-default fonts from? – makerofthings7 Jul 01 '15 at 16:45
-
4Would a location become trusted because "an Internet bear said so" ? – Tom Leek Jul 03 '15 at 20:08
-
2Fonts are not "just data": https://googleprojectzero.blogspot.fi/2015/07/one-font-vulnerability-to-rule-them-all.html – Mikko Rantalainen Feb 07 '18 at 13:23