

Fonts eat a bullet in Microsoft security patch - iProject
http://www.theregister.co.uk/2012/12/17/windows_security_update_kills_fonts/

======
pilif
_> I have thousands of fonts and have yet to see (or hear) of one that would
trigger the security problems supposedly resolved by this update._

this is the complete backwards-thinking that causes people not to install
security updates. Too bad it's repeated here in bold on a publication and
subsequently even linked on HN.

Of course none of the fonts you have installed is using the security flaw.

But that newly created malicious font that is being used from that ad banner
on that website you just visited is certainly going to use the security flaw
to install additional malware on your system.

This has nothing to do with the existing fonts you deliberately installed but
everything with newly created fonts that you don't deliberately install.

Another note: I really think MS should have fixed the vulnerability in their
font parser instead of just disabling a whole class of fonts in a security
update.

~~~
andybak
Do the cost/benefit analysis.

"Real problem now that affects by income" vs "unknown future risk."

You need to know the chance of a problem and the severity of that problem. My
hunch is that in this case "Real problem now" is the worse option for a
rational observer.

~~~
andybak
Ah. I have just noticed that the bug allows remote code execution from just
visiting a malicious website.

That does rather change the balance somewhat.

~~~
justinschuh
It's not just remote code execution; it's that this bug triggers in kernel
font handling code. So, it bypasses application sandboxes and any other user
space protections.

~~~
DannyBee
I think the best part of this is the phrase "kernel font handling code"

Of all the things to put into kernel space ....

~~~
codewright
>Of all the things to put into kernel space ....

It's Windows man, this is an old story now.

------
datr
Microsoft's security announcement here: [http://technet.microsoft.com/en-
us/security/bulletin/ms12-07...](http://technet.microsoft.com/en-
us/security/bulletin/ms12-078)

The Chromium bug report where the issue was discovered:
<http://code.google.com/p/chromium/issues/detail?id=146254>

------
drzaiusapelord
"eat a bullet?" What does that even mean? Come on, is it asking too much for
even a semi-professional article here? The reg is a tabloid that's bascially
blogspam. HN can do better.

~~~
lambda
"Eat a bullet" is slang which means being shot. As in, the update kills
certain fonts. It's also a pun, because fonts contain a character known as a
bullet: "•".

Yes, the Reg is an IT tabloid; they do an entertaining, sarcastic, and pun-
filled take on IT news. I wouldn't call it blogspam in general; they do real
reporting, and provide more than the usual blogspam "link, quote, and one
sentence summary." In this particular case, the source they quoted probably
would have been a better article to post, as it is longer and contains more
information.

