Microsoft rushed out an out-of-band patch, MS15-078, to deal with active exploits in their font driver yesterday. Since pushing out patches takes time, my boss asked me what we could do to mitigate the issue in the meantime.
The biggest threat, by far, is exploit-bearing fonts being downloaded from web sites. Ideally you only install trusted fonts from trusted sources locally on your workstations, right? If not, I suggest you start that practice as well.
You have a couple of options when it comes to blocking fonts in browsers.
The best way to do it in corporate environments is to block .ttf, .otf, .woff and .woff2 filetypes at your proxy server. Or, since this particular vulnerability affects .otf, block that extension, but blocking all four is a better all-around solution. This idea made our web designer very nervous, for reasons I completely understand, but you can whitelist your own sites–which ideally aren’t proxied anyway–and your business partners’ sites. If you don’t know who your business partners are, find out now. As time goes on, that job will only get harder. If I sound like I’m talking from experience, it’s because I am.
I notice the difference, since I have a journalism background including plenty of design and layout experience. Someone like me will notice a lot more Times New Roman and Arial all of a sudden. To anyone else, things just look a bit different–less variety than we’re used to in 2015, but the sites are readable. I volunteered to be the first to go into the test group, and I described it as the web looking like it’s 2009 or maybe even 2005 again.
While you’re inside the proxy, I also highly recommend you block .jar (Java), .swf and .flv (Flash) files from all but trusted business partner sites as well. Doing this will dramatically improve your security posture, as it closes off the easiest vectors for infection.
If you want to do this at home, or you don’t have a proxy server, you can disable web font downloads in Firefox by navigating to about:config and setting gfx.downloadable_fonts.enabled to false. In Chrome, you can install the Disable Web Fonts add-on. In Internet Explorer, go to Tools, Internet Options, Security, select “Internet,” then click “Custom level.” Scroll to “Font Download,” then select “Disable.”
Another potential good side effect, if you’re bandwidth constrained, is that disabling these font downloads will reduce your web traffic.
Of course you can do all of this with group policy and other tricks, but in a corporate environment I’d much rather do it at the proxy server level. Browsers that are unauthorized, or at least unsanctioned, constantly show up in environments so blocking at the proxy gives those stray browsers the protection they need.
Disabling web fonts might be something you just want to do in months when Microsoft releases a patch to its font subsystem to buy time until you can get the patches down (you can expect this to happen 3-4 times per year), but only allowing them on select sites via a proxy server gives you protection against undiscovered vulnerabilities, which, if we’ve learned anything in 2015, we’ve learned do indeed exist and aren’t as expensive as we once thought. This provides a lower quality user experience when it comes to the Web at large, but you’re a business, not an ISP. A complaint I frequently hear is that threat and vulnerability analysts know how to patch, but they don’t know how to mitigate when patching isn’t an option. Blocking these fonts is an outstanding example of mitigation.
Ultimately the decision to block or not block font downloads has to come from a three-letter executive in most organizations, but don’t be surprised if it’s a decision many CIOs are willing to make since the threat landscape isn’t getting any less hostile. They just need to know the option is available. It’s your job and mine to let them know.