Embedded open type fonts - The risk lurking up

Written by

The web is getting a playground for different type of attacks. There is lot of talks going around about Microsoft EOT fonts realm which are being used for launching different type of attacks.

Recently I gave a talk at the Excalibur Conference, China in which I talked about launching a CSRF attack in a stealth manner through EOT. By using the EOT an attacker can bypass the error generation mechanism in web based interfaces used for embedded devices such as routers etc.

The EOT is embedded as an object in documents at web level which are loaded dynamically when a request is issued for a specific object or web page. It is considered to be one of the prominent font embedding technologies used efficiently in Microsoft Office and Internet Explorer. It raises the possibility in favour of web pages to embed their own fonts which makes it self triggered in the nature.

Usually the exploitation paradigm revolves around the stealth functionality provided by this EOT. This can be used by malware too which has been described in generic manner in this link.

The risk factor of EOT is getting high. for looking more into EOT try a search at Microsoft.




What’s hot on Infosecurity Magazine?