hackademix.net

As you may already know, now that Mozilla has fixed the recent Firefox 3.6’s “0-day” at light speed and vulnerability details are public, the feature protecting NoScript’s users against this by default was Forbid @font-face.

The @font-face CSS rule allows web authors to download online typefaces (so called “web fonts”) on the fly, enhancing the rendering of their pages’ text:

By allowing authors to provide their own fonts, @font-face eliminates the need to depend on the limited number of fonts users have installed on their computers.

If you’re wondering why NoScript — for a long time now — has been treating web fonts the same way as other “active” embeddings, such as plugin content and HTML 5 media elements, here’s an excerpt of an email which Mike Perry (Mr. Torbutton) sent me past year, eloquently advocating this treatment:

It really worries me that the FreeType font library is now being made to accept untrusted content from the web.

The library probably wasn’t written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and it’s already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.

It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C… The code is extremely hairy and hard to review, especially for the VM.

The reason I don’t want to do this blocking in Torbutton is because Torbutton is only about protecting users from privacy risks, not general security risks. Users who want enhanced security are encouraged to use your extension and others on our FAQ page.

Don’t panic.

Bürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but:

1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1^st.
2. A patched Firefox release candidate is already available, so if you’re really scared or impatient you can get it here.
3. As almost always happens, NoScript* has been protecting its users since day 0, keeping its promise of preventing exploitation of security vulnerabilities (known and even not known yet!).

* in its default configuration, and even better in its full content blocking mode.

Update 2010-03-23

In the meanwhile, Mozilla decided to go through the effort of anticipating Firefox 3.6.2 by one whole week for the greater good, so if you haven’t seen the “Available update” message yet, just use Help|Check for updates now.

Now that vulnerability details are not embargoed anymore, I can add that exploitation required the browser to load a specially crafted web font. The relevant NoScript feature protecting against this is NoScript Options|Embeddings|Forbid @font-face, which is checked by default.

You already nominated it, now it’s time for the final push: vote here!

P.S.: ironically, looks like in order to cast your ballot you need to Temporarily allow about.com first.

P.S.: talking about Italy, my friend Leonardo just launched a web site where he sells Nero D’Avola and other high quality Sicilian typical wines that he produces with true passion and great results in his own sunny vineyards. Worth a visit!

Just read about it, and nominations close today, so hurry up and show your love:
2010 About.com Reader’s Choice Awards: Best Privacy/Security Add-On.
Who you gonna call?

P.S.: bring your nest :)