Can a True Type Font contain any malware?

[void]

Is it possible for a True Type Font file to have any kind of
virus/spyware/malware?

[void]

Leythos wrote:

>In article <xn0essqo720vj5001@newsgroups.comcast.net>, void@no.spam.com
>says...
>>Is it possible for a True Type Font file to have any kind of
>>virus/spyware/malware?
>
>It's possible for anything that appears to be a TTF to be something
>else. Many malware hide as font.someextension.........exe.
>
>It's not the extension that makes the file type, it's the contents.
>
>Now, if you mean a real TTF, then, no, it can't contain malware strictly
>speaking.

So if I install the TTF file in Windows and can see that it is an actual
font, then that means it cannot contain any malware?

[David H. Lipman]

From: "void" <void@no.spam.com>

| Is it possible for a True Type Font file to have any kind of
| virus/spyware/malware?

If you can view a Font in the FontViewer then it is has no payload.

A DLL file could be renamed to TTF and be loaded via the Registry and HIDE in the Font
directory.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[MoiMoi]

In article <Ia1%g.18161$pq4.13929@tornado.ohiordc.rr.com>,
void@nowhere.lan says...
.....

> Oh, and you don't' "Install" fonts, you just copy them to the fonts
> folder - what are you really doing?

Actually, you DO "install" fonts.
In the font folder, File, Install New Fonts, whether you get there via
Control Panel or Win Explorer.
Been this way since Win 95 (I disremember re Win3).

While just copying them in there usually works, it's preferred to
"install" them (registry notations and whatnot). Lots of proggie font
problems that occur can be corrected by deleting or moving the fonts out
the font folder and then "installing" them again rather than just
copying them in.

MM

[MoiMoi]

In article <EEl%g.18298$pq4.1055@tornado.ohiordc.rr.com>,
void@nowhere.lan says...
......
> The question still stands, I wonder what the OP was really trying to do
> that they were concerned about a font containing malware.

I assume he was just concerned re installing some freebie fonts he found
somewhere...

MM

[void]

MoiMoi wrote:

>In article <EEl%g.18298$pq4.1055@tornado.ohiordc.rr.com>,
>void@nowhere.lan says...
>.....
>>The question still stands, I wonder what the OP was really trying to do
>>that they were concerned about a font containing malware.
>
>I assume he was just concerned re installing some freebie fonts he found
>somewhere...

Yeah, most sites that offer free fonts aren't really well known, so I
wanted to make sure it's clean.

[Tim Smith]

In article <EEl%g.18298$pq4.1055@tornado.ohiordc.rr.com>,
Leythos <void@nowhere.lan> wrote:
> The question still stands, I wonder what the OP was really trying to do
> that they were concerned about a font containing malware.

Well, a font does contain hinting, in the form of a program for the True
Type hinting virtual machine. Basically, a True Type font contains a
mathematical description of the outlines of the glyphs, and then code,
in the form of assembly language for that virtual machine, to tweak the
glyphs for the particular sizes needed.

I haven't looked, in detail, at what is allowed in the language for that
virtual machine, but it is at least conceivable that a buggy
implementation of the virtual machine could allow the hints to cause a
buffer overflow and arbitrary code execution, and so could actually be
used as a vector for malware.

From overviews of what hinting code can do, though, it looks like it
would be pretty easy to design the virtual machine to be completely
safe. On the other hand, I could easily see a developer worrying about
speed, and taking some shortcuts that would leave some holes (although I
think with glyph caching, there would be no noticeable impact on actual
system performance if the hinting virtual machine was slow).

I've never heard of any kind of malware using this mechanism, and I
don't recall seeing any security updates on any OS to address holes in
True Type font handling, so my guess is there isn't much to worry about
here. (On the other hand, this would be a pretty damned obscure way to
attack--it is possible no malware authors have investigated it).

--
--Tim Smith