Skip to content
Home » security » Another reason to block fonts at the proxy

Another reason to block fonts at the proxy

Last week Apple released a bunch of patches up and down its product line. One of the vulnerabilities it fixed in OS X was a vulnerability in its font parser.

In the past you could mitigate vulnerabilities like this by only installing fonts from trusted sources, but since it’s now possible for web pages to transmit fonts along with other content, there’s a limitless number of untrusted fonts out there in the world.

Since it may take a while for all of the major operating systems to shake out all of the problems in their font subsystems, that’s the reason I’ve recommended filtering fonts at the proxy.

If that’s going to cause a problem, there are some workarounds. Most web proxies allow you to create an exception to these rules for business-critical web sites, so that way you can allow those sites to continue to operate as if nothing changed, while blocking them everywhere else.

Since there isn’t anything comparable to Windows’ Group Policy for Macs, far and away the easiest way to protect them in a workplace setting is by filtering at the proxy. It will protect your PCs as well.

Don’t expect this proposal to be popular if you float it, especially in a Macintosh-heavy shop. Then again, it wasn’t a popular proposal at my workplace, but the CIO agreed it was a good idea, and after we implemented it, I haven’t heard of anyone noticing it, although blocking Flash remains unpopular.

If you found this post informative or helpful, please share it!

2 thoughts on “Another reason to block fonts at the proxy”

  1. The problem being that more and more websites are using custom fonts to implement their buttons, instead of image files.

    I turned off downloadable fonts recently in my browser because I was tired of suffering through other people’s demented ideas of nice looking fonts, and discovered that several sites and services suddenly stopped showing the proper buttons.

    1. I see that occasionally but haven’t found it to be a problem. At work you could whitelist at the proxy, allowing business-related sites to download fonts, but block them everywhere else. We block everywhere and haven’t had any complaints though. We do allow Flash from sites belonging to companies we have a business relationship with.

Comments are closed.

%d bloggers like this: