Canva Unveils Flawed Fonts Fiasco: Cybersecurity Crumbles with Wrong Typeface Choices

Choosing the wrong font could unleash a cybersecurity Pandora’s box, and Canva’s latest “Helvetica of a Problem” report spells it out. Beware, or your text might do more than just Comic Sans your reputation! #FontSecurityFauxPas

Hot Take:

Who knew fonts could be the Times New Roman of cybersecurity threats? Canva’s report, “Fonts are still a Helvetica of a Problem,” sounds like a typographic thriller where the good guys battle the evil Serif of Vulnerabilities. It’s the kind of plot twist that makes you never look at Comic Sans the same way again. So, next time you’re picking a font, remember it’s not just about aesthetics; it’s a security choice. Choose wisely, or your next font might just be “Ransomware Italic.”

Key Points:

  • Canva’s security team has discovered vulnerabilities in font processing tools, painting a picture where even the most innocent Helvetica could be a wolf in Arial’s clothing.
  • The first villain of the story, CVE-2023-45139, was found lurking in the shadows of FontTools, ready to unleash its XML wrath.
  • Meanwhile, CVE-2024-25081 and CVE-2024-25082, the sneaky duo, were plotting command injections through the dark alleys of naming conventions and compression.
  • FontTools, FontForge, and ImageMagick, once potential accomplices, have now been patched after a heads-up from Canva’s caped crusaders.
  • Canva’s moral of the story: Treat fonts like you would any stranger offering you candy, with a healthy dose of suspicion and a sandbox to play in safely.
Title: fonttools XML External Entity Injection (XXE) Vulnerability
Cve id: CVE-2023-45139
Cve state: PUBLISHED
Cve assigner short name: GitHub_M
Cve date updated: 01/10/2024
Cve description: fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Cve id: CVE-2024-25081
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 03/08/2024
Cve description: Splinefont in FontForge through 20230101 allows command injection via crafted filenames.

Cve id: CVE-2024-25082
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 03/08/2024
Cve description: Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.

Need to know more?

Font Fiasco: A Serif-ious Concern

Canva's dive into the depths of font security has surfaced not one, not two, but three vulnerabilities that could turn a simple text into a Trojan horse. This tale begins with CVE-2023-45139, a villainous flaw in FontTools, which could have allowed a rogue SVG to snatch up your precious XML files. But fear not, for the patch cavalry arrived just three days post-revelation!

The Unusual Suspects: Naming Conventions and Compression

The plot thickens with CVE-2024-25081 and CVE-2024-25082, the partners in crime that brought command injection into the spotlight. These two showed that even the mundane tasks of naming and squeezing fonts could open the door to cyber shenanigans. Thankfully, our heroes at FontForge and ImageMagick have since bolted those doors shut.

The Guardians of Open Source

Hats off to the open-source maintainers who, faster than you can say "OpenType-Sanitizer," swooped in to address these issues. Canva's report is a shout-out to these unsung heroes and a reminder to IT workers everywhere to don their digital armor and sandbox like their data depended on it.

The More You Know: Font Security History

While Canva's font fright might seem like breaking news, Google was already scribbling in the margins of this story nearly ten years ago. However, with cyber threats evolving from annoying pop-ups to full-blown data heists, Canva's advice to scrutinize the lesser-known attack surfaces is a font of wisdom in today's digital landscape.

Extra! Extra! Read All About It!

For those who want to continue down the rabbit hole of cyber safety, TechRadar Pro offers insights on the best endpoint protection tools and the ongoing battle between Cloudflare and Google over—you guessed it—fonts. And if you're looking to upgrade your arsenal, they've got tips on the best business laptops and mobile workstations. So, subscribe to their newsletter, and stay informed; your cybersecurity may depend on it!

Tags: Command Injection, CVE-2023-45139, font security, FontTools vulnerability, OpenType-Sanitizer, Software Patching, untrusted input