Even the graphic engineers at Canva can’t believe it. They never thought that unpacking a font archive could release malware.
Leading Australian online graphic design company Canva is working hard to make its processes more secure. It also deployed new AI-powered graphics tools at the end of 2023.
Recently, its security experts have explored the less-examined aspects of fonts, revealing surprising vulnerabilities and highlighting potential security risks associated with the use of fonts.
3 vulnerabilities detected
The first flaw, identified under the code CVE-2023-45139, presents a high severity problem (7.5/10) in FontTools, a Python library. Canva revealed that using an untrusted XML file when processing an SVG table could lead to the creation of an undersized font, exposing significant security risks. This vulnerability reveals the complexities of font manipulation, often overlooked in the field of IT security.
The second and third vulnerabilities CVE-2024-25081 and CVE-2024-25082, both rated 4.2/10, reveal vulnerabilities associated with naming conventions and compression. On its blog, Canva points out that popular tools such as FontForge and ImageMagick, used to rename font files, can introduce security issues when operating on untrusted data. The researchers also demonstrated that a simple shell execution could open unauthorized files, thus highlighting the extent of the risk linked to these practices.
Analysis and outlook
On their blog, the developers explain: “ A vulnerability has been discovered when FontForge parses the table of contents (TOC) of an archive file. The TOC is a list of all compressed files in the archive and FontForge uses it to extract a font file to perform actions on it “.
They were then able to create an archive containing a malicious file name, bypassing traditional file name sanitization techniques, and triggering the exploit code.
Canva highlighted that the font landscape is rich in attack surfaces, as businesses and individuals alike need unique typography – each with its own specifications.
Researchers have advocated treating fonts like any other untrusted input and believe that font security is an area severely lacking in security research.
Source : The Register, Can go
2