Hey! Is it really dangerous to enable FONTS in NoScript while surfing a website ? Ok it's not usually needed by the website, only to have a better look ;) Thx for your advise ;) -- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
Downloading fonts may be dangerous although the chances are rather low. But as always, this is subject to many circumstances. https://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kern... Best wishes Andre
Am 04.09.2017 um 09:37 schrieb Petrusko <petrusko@riseup.net>:
Hey!
Is it really dangerous to enable FONTS in NoScript while surfing a website ? Ok it's not usually needed by the website, only to have a better look ;)
Thx for your advise ;)
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
_______________________________________________ tor-users mailing list tor-users@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-users
Buh! Thx Andre for your answer and the link :) Very interesting, but hard to understand for a novice. So I can see it's only Windows problem if I'm not wrong. So on a Linux machine there's no (not know) risk to enable @Font ... Thx! ;) Andre Mankel :
Downloading fonts may be dangerous although the chances are rather low. But as always, this is subject to many circumstances.
https://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kern...
Best wishes Andre
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
I would not assume Linux is safe. Font engines are complex beasts, giving security bugs plenty of places to hide. Freetype has had 22 vulnerabilities discovered since 2009 that could have been used to execute code, and Graphite, Firefox's current font rendering engine, has also had its share. In fact, as recently as April, Firefox had BOTH a remote execution font rendering bug *and* a sandbox escape bug that perhaps could have been combined to enable executing arbitrary code outside the sandbox. On Wed, Sep 6, 2017 at 2:30 PM Petrusko <petrusko@riseup.net> wrote:
Buh! Thx Andre for your answer and the link :) Very interesting, but hard to understand for a novice. So I can see it's only Windows problem if I'm not wrong. So on a Linux machine there's no (not know) risk to enable @Font ...
Thx! ;)
Andre Mankel :
Downloading fonts may be dangerous although the chances are rather low. But as always, this is subject to many circumstances.
https://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kern...
Best wishes Andre
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
_______________________________________________ tor-users mailing list tor-users@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-users
Thx Sean for this answer, so it's really sad to understand it's bugged and system/browser can be compromised by those fonts :s So I'm starting to be anxious when I think about all fonts downloaded on websites (like www.dafont.com ) and added on the system, sometimes Windows, usually Debian, to use it with Gimp and sometimes inside other softwares... :ss Those websites can be a nice way for bad guyz to distribute those bugged fonts so :'( Buh! And no way to know if a font is bugged or not ? When using it inside Gimp for example, no remote execution or something similar can be done ? Like Firefox in your exemple ? (kernel powned in Windows, resulting as a BSOD is not really a big problem on my eyes...) Le 07/09/2017 à 00:31, Sean Lynch a écrit :
I would not assume Linux is safe. Font engines are complex beasts, giving security bugs plenty of places to hide. Freetype has had 22 vulnerabilities discovered since 2009 that could have been used to execute code, and Graphite, Firefox's current font rendering engine, has also had its share. In fact, as recently as April, Firefox had BOTH a remote execution font rendering bug *and* a sandbox escape bug that perhaps could have been combined to enable executing arbitrary code outside the sandbox.
On Wed, Sep 6, 2017 at 2:30 PM Petrusko <petrusko@riseup.net <mailto:petrusko@riseup.net>> wrote:
Buh! Thx Andre for your answer and the link :) Very interesting, but hard to understand for a novice. So I can see it's only Windows problem if I'm not wrong. So on a Linux machine there's no (not know) risk to enable @Font ...
Thx! ;)
Andre Mankel : > Downloading fonts may be dangerous although the chances are rather > low. But as always, this is subject to many circumstances. > > https://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kern... > > Best wishes > Andre
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
_______________________________________________ tor-users mailing list tor-users@lists.torproject.org <mailto:tor-users@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-users
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
participants (3)
-
Andre Mankel -
Petrusko -
Sean Lynch