Last Updated on December 5, 2015 by Dave Farquhar
Last week Apple released a bunch of patches up and down its product line. One of the vulnerabilities it fixed in OS X was a vulnerability in its font parser.
In the past you could mitigate vulnerabilities like this by only installing fonts from trusted sources, but since it’s now possible for web pages to transmit fonts along with other content, there’s a limitless number of untrusted fonts out there in the world.
Since it may take a while for all of the major operating systems to shake out all of the problems in their font subsystems, that’s the reason I’ve recommended filtering fonts at the proxy.
If that’s going to cause a problem, there are some workarounds. Most web proxies allow you to create an exception to these rules for business-critical web sites, so that way you can allow those sites to continue to operate as if nothing changed, while blocking them everywhere else.
Since there isn’t anything comparable to Windows’ Group Policy for Macs, far and away the easiest way to protect them in a workplace setting is by filtering at the proxy. It will protect your PCs as well.
Don’t expect this proposal to be popular if you float it, especially in a Macintosh-heavy shop. Then again, it wasn’t a popular proposal at my workplace, but the CIO agreed it was a good idea, and after we implemented it, I haven’t heard of anyone noticing it, although blocking Flash remains unpopular.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.
The problem being that more and more websites are using custom fonts to implement their buttons, instead of image files.
I turned off downloadable fonts recently in my browser because I was tired of suffering through other people’s demented ideas of nice looking fonts, and discovered that several sites and services suddenly stopped showing the proper buttons.
I see that occasionally but haven’t found it to be a problem. At work you could whitelist at the proxy, allowing business-related sites to download fonts, but block them everywhere else. We block everywhere and haven’t had any complaints though. We do allow Flash from sites belonging to companies we have a business relationship with.