Google has open-sourced an internal tool that can help security researchers find security bugs in font display (rasterization) components. The tool is named BrokenType and is the work of Google Project Zero security engineer Mateusz Jurczyk, one of the leading experts in font-related security bugs [1, 2, 3]. At its core, BrokenType is a fuzzer, which is a special tool that feeds a software application with large quantities of random data and analyzes their output for abnormalities –which, in turn, give developers a hint about the presence of possible bugs in their code. Just like most Google open-source projects, BrokenType is a respectable and battle-tested tool. Jurczyk says he used BrokenType between 2015 and 2017 to find and report 20 vulnerabilities in the Windows kernel font rasterization library, and another 19 security flaws in Microsoft Uniscribe, a Windows API for controlling the operating system’s typography settings. Jurczyk says that BrokenType will help security researchers identify vulnerabilities affecting libraries used for rendering TrueType and OpenType fonts, the two most widespread font formats used today. See also: Google Project Zero: ‘Here’s the secret to flagging up bugs before hackers find them’ | Google pledges to foil phishing attacks with new Titan Security Key Due to the crucial importance and prevalence of font rastering libraries in practically every desktop and mobile operating systems, font security issues are highly sought-after by attackers, as one vulnerability alone could allow threat actors to target a multitude of OS versions and platforms. For example, HackingTeam, an Italian… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.