
Why NoScript Blocks Web Fonts - mbrubeck
http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/
======
steve19
<http://en.wikipedia.org/wiki/Truetype#Hinting_language>

~~~
cgranade
Thanks! I was wondering why on earth a font engine needed a full VM, but that
makes a lot more sense now.

------
prodigal_erik
This is what we get for assuming every user wants native code to have all
their privileges as it munges untrusted data. I keep hoping something like a
capability-based system will come along and trump both Unix and Windows, but
if a litany of security trainwrecks isn't enough motivation, I can't imagine
how it could happen.

------
plesn
Hopefully this will lead to enhancements in FreeType (or some competition).
Anyway users will prefer shiny lolcat fonts to their own security...

------
jrockway
libpng was also vulnerable to arbitrary code injection, but NoScript doesn't
block images by default...

If you write your software in C, it's not really safe to expose to the
Internet.

~~~
tedunangst
Good thing none of the modern browsers or web servers are written in anything
like C.

~~~
jrockway
They are, and that's why they're not safe to expose to the Internet.

