Teacher
Professional
- Messages
- 2,670
- Reaction score
- 783
- Points
- 113
Graphic design requires a global review of security policies.
A new study by the Australian company Canva, specializing in graphic design, revealed a number of security vulnerabilities related to fonts.
Experts found three vulnerabilities in "unusual places", emphasizing that fonts are a complex and widespread part of graphics processing, which previously could remain without proper attention in the security context.
The first vulnerability, CVE-2023-45139, which received a severity rating of 7.5 out of 10 on the CVSS scale, was found in the FontTools library. It is associated with processing untrusted XML files when trying to reduce the font size, which can lead to unauthorized access to files.
Two other vulnerabilities-CVE-2024-25081 and CVE-2024 — 25082, with a preliminary score of 4.2 out of 10-are related to naming conventions and file compression. So, the researchers demonstrated how using specially created file names, you can force tools such as FontForge and ImageMagick to open access to data that should not initially be accessible.
Special attention is paid to distributing fonts through archived files, which can simplify the distribution of vulnerabilities. In particular, when processing the archive table of contents with the FontForge tool, a vulnerability was discovered that allows malicious code to be executed.
Canva emphasizes that font-related security issues have long been in need of attention, recalling Google's 2015 Project Zero, which also made font security a critical area.
The company calls for treating fonts like any other type of unreliable input, and hopes for further research in this area to improve the level of font security in the future.
A new study by the Australian company Canva, specializing in graphic design, revealed a number of security vulnerabilities related to fonts.
Experts found three vulnerabilities in "unusual places", emphasizing that fonts are a complex and widespread part of graphics processing, which previously could remain without proper attention in the security context.
The first vulnerability, CVE-2023-45139, which received a severity rating of 7.5 out of 10 on the CVSS scale, was found in the FontTools library. It is associated with processing untrusted XML files when trying to reduce the font size, which can lead to unauthorized access to files.
Two other vulnerabilities-CVE-2024-25081 and CVE-2024 — 25082, with a preliminary score of 4.2 out of 10-are related to naming conventions and file compression. So, the researchers demonstrated how using specially created file names, you can force tools such as FontForge and ImageMagick to open access to data that should not initially be accessible.
Special attention is paid to distributing fonts through archived files, which can simplify the distribution of vulnerabilities. In particular, when processing the archive table of contents with the FontForge tool, a vulnerability was discovered that allows malicious code to be executed.
Canva emphasizes that font-related security issues have long been in need of attention, recalling Google's 2015 Project Zero, which also made font security a critical area.
The company calls for treating fonts like any other type of unreliable input, and hopes for further research in this area to improve the level of font security in the future.
