Last week Apple released a bunch of patches up and down its product line. One of the vulnerabilities it fixed in OS X was a vulnerability in its font parser.
In the past you could mitigate vulnerabilities like this by only installing fonts from trusted sources, but since it’s now possible for web pages to transmit fonts along with other content, there’s a limitless number of untrusted fonts out there in the world.
Since it may take a while for all of the major operating systems to shake out all of the problems in their font subsystems, that’s the reason I’ve recommended filtering fonts at the proxy.
If that’s going to cause a problem, there are some workarounds. Most web proxies allow you to create an exception to these rules for business-critical web sites, so that way you can allow those sites to continue to operate as if nothing changed, while blocking them everywhere else.
Since there isn’t anything comparable to Windows’ Group Policy for Macs, far and away the easiest way to protect them in a workplace setting is by filtering at the proxy. It will protect your PCs as well.
Don’t expect this proposal to be popular if you float it, especially in a Macintosh-heavy shop. Then again, it wasn’t a popular proposal at my workplace, but the CIO agreed it was a good idea, and after we implemented it, I haven’t heard of anyone noticing it, although blocking Flash remains unpopular.