|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Kim Scarborough (kjs_at_uchicago.edu)
Date: Tue Jan 07 2003 - 11:41:38 CST
dildog wrote:
> I suppose that IE's 'automatic font download' support (which is on by
> default) would exacerbate this problem, correct?
If you mean IE's font embedding support, it's unclear. Embedded font files are
a different format than standard font files (to prevent piracy). They are not
viewable in Font Viewer, so I doubt this same sort of attack could be done
that way. If the folks who gave us this OTF want to try it on a EOT file (MS's
embedding format) and see if they can crash IE (or get it to execute code),
that'd be interesting.
If you mean IE's international support, which will download fonts when
necessary, then yes, it would be vulnerable to this attack, but since it only
downloads those files directly from Microsoft, it's no more of a danger than a
Service Pack or anything else you get from them. If MS's download area is
compromised, people have a lot more to fear than trojaned font files.
-- ---------------------------------------------------------------------------- Kim Scarborough Web Systems Administrator University of Chicago/NSIT (773) 834-7740 ----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]