dildog wrote: > I suppose that IE's 'automatic font download' support (which is on by > default) would exacerbate this problem, correct? If you mean IE's font embedding support, it's unclear. Embedded font files are a different format than standard font files (to prevent piracy). They are not viewable in Font Viewer, so I doubt this same sort of attack could be done that way. If the folks who gave us this OTF want to try it on a EOT file (MS's embedding format) and see if they can crash IE (or get it to execute code), that'd be interesting. If you mean IE's international support, which will download fonts when necessary, then yes, it would be vulnerable to this attack, but since it only downloads those files directly from Microsoft, it's no more of a danger than a Service Pack or anything else you get from them. If MS's download area is compromised, people have a lot more to fear than trojaned font files. -- ---------------------------------------------------------------------------- Kim Scarborough Web Systems Administrator University of Chicago/NSIT (773) 834-7740 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 19:02:47 PST