Updated: November 13, 2020
In the past month, I've read about a dozen security bulletins involving remote execution exploits due to font parsing vulnerabilities in a range of operating systems, from desktop to mobile. In all these cases, there was a detailed mention of problems, but very little if any mention of possible solutions, other than vendor updates, that is.
Which is rather intriguing, because there is a tool that can help you with fonts. It's called Noscript, it's a supreme browser extension available in Firefox and more recently in Chrome, and it allows you to govern the loading of fonts in your webpages. A simple and elegant tool that can save - or at the very least, significantly minimize, headache with fonts. But does it get the spotlight it deserves? Of course not, drama and fear are far more interesting. Let's see what gives.
Noscript in 60 seconds
If you've been reading Dedoimedo for the past well ever, you know I love and use Noscript. It's a must-have browser extension for me. With scripting (mostly) disabled, the browsing is far more fun. Faster, cleaner. The security element is secondary, but it exists nonetheless. When you browse with Noscript, only pure information is loaded - text and images. Anything that requires scripts, nyet. Good.
This translates the modern Internet experience - which is awful BTW - into a sane, quiet one. When you need to do something that requires Javascript, you can temporarily toggle the permissions for a specific domain, do what you need to do, and then go back to the quiet and sane browsing.
You can also permanently configured your TRUSTED and UNTRUSTED lists - sites that will have scripts and other objects enabled by default, and those that won't, even if you temporarily allow all. Simple and practical. Sure, it can be a hassle, and only nerds can use this properly, but then all of this talk about security is nerdy stuff anyway.
Now, scripting is only one aspect of Noscript's functionality. The add-on can also block/allow other Web page elements, including objects, media files, frames, WebGL - and fonts! Let's not forget fonts. If there are remote fonts, they can be blocked. By default, Noscript will block scripts, fonts, WebGL and Web ping elements on a page. For trusted sites, everything will be allowed. For untrusted, everything will be blocked.
Noscript & fonts
Now, if you do not want to reduce your Web experience by blocking fonts and constantly having to tweak scripting permissions for this and that site, then what you can do is as follows:
- Enable scripts for the DEFAULT zone.
- Block fonts for the DEFAULT and TRUSTED zone.
And that's it. Your day-to-day Interneting will behave like before - sites will load (almost fully), you will have all your scripts, comments, whatnot, and the only thing that will not be processed are remote fonts. So if there are issues, then there are no issues. In fact, there's really no reason why this shouldn't be your default configuration, especially if you don't want to be inconvenienced by scriptology.
Now, this WILL break your font experience. Sites that uses fancy remote fonts will not render, so you may see alternate fonts (whatever replacement is available locally), or if the various sites are super-badly configured without a fallback font option in their CSS, then empty, ugly squares. Which is great!
Of course, people will automatically equate this phenomenon with bad, bad, naughty fonts. But I think every remote font is bad - that is UNNECESSARY. There's no reason, other than silly fads, why anyone should use remote fonts in their pages. Just because it's fashionable, like dark themes? If you want fancy fonts, buy them, put them on your server, and serve them to your audience. Oh that's right, that costs money! But Arial or sans-serif are just too retro! Not kewl enough.
Oh, if you're wondering, Web font blocking is not a new thing. Noscript has handled this since at least 2010, and even then, the remote font issues and FreeType vulnerabilities happened here and there. Nothing has changed really, except the focus has slightly shifted. That's all.
As an extra thing, you can also permanently block various sites you deem naughty or unsafe, so if you ever allow-all for various domains, the untrusted sites will still remain blocked, so you don't need to worry about accidentally punching holes in your setup through negligence or lazy mouse clicking.
Unrelated extra: Windows 10 & Exploit Protection
Something specific for Windows folkses, and totally not Noscript, but I feel this is a good moment to hone in the value of this point. I am so annoyed when everyone preaches doom and gloom about Windows, but they also always fail to mention the best security mechanism available in the Windows operating system, the elegant and fairly transparent Exploit Protection framework, which is based on the legendary EMET toolbox. Instead of chasing security uselessly, you can nip the problem in the bud.
One, you can globally disable untrusted fonts in the operating system, or if you think this is too much, then you can adjust the policy per application using the Exploit Protection functionality. Very simple, again. But then, this isn't something that gets enough focus, probably because it doesn't have a blockbuster level of suspense.
Poetic justice: Firefox
One thing that seems to become more prevalent lately - zero-day bugs in Chrome apparently. Now, on its own, this is nothing special or new - tons of programs have had these and will have these over the years. They come, the vendor patches them, next. If it's on the net, then something could go wrong. Simple facts of life.
What is interesting is the ubiquitousness of Chrome slash Chromium - as it has become the dominant browser, especially on the mobile. Youngsters of today may find this novel and unique, but it's just a repetition of the joy and drama with Internet Explorer around 2005-2010, when it was the most popular and also most targeted browser.
Then, there's also the hidden dragon, crouching Electron. Tons of applications nowadays are just that - encapsulated browsers with a custom UI, powered by the Chromium engine under the hood. This makes for a simple, elegant design. But it also means that if there's a vulnerability in Chromium, there's a solid chance such a vulnerability may also exist in a whole range of other apps that you won't necessarily associate with pure browsing. If and when such bugs manifest, will they affect you? How? When? Will you be able to figure out what may trigger a browser-like exploit in a non-browser-like interface? Hint: This has happened before, like the CVE-2018-1000136 vulnerability, for instance.
And then you have Firefox, which is no longer as glamorous or as popular as it used to be, but the fact it uses its own rendering engine and has a smaller market footprint makes it less likely to be the first choice in the pwnage game. We sort of went back 15 years in time. Lolza.
Conclusion
The recent security bulletins were mostly around non-Windows operating systems, mobile in particular. Which rules out the Exploit Protection, but then Firefox and Chrome are largely available on most operating systems, and you can use the Noscript extension to enhance your security and usability stance. Just as adblockers on your smartphone reduce the bullshit effect by 99% and improve your battery life, Noscript can help further minimize the noise and improve your security.
I know that the focus here is on the security aspect of fonts, but it's not just about that. No. These font vulnerabilities are a natural extension of a BAD USAGE model. Anything can have bugs and problems. Fonts aren't special or unique. The real problem is people using fonts in the wrong way. Like giving a Claymore to a child, except it's shoddy CSS and lazy Web design. Remote fonts are bling-bling rims on a rusty old car.
The remote, third-party stuff loading is a growing issue. More and more sites are blindly re-using snippets of code, and it's all becoming "cloudy" - there's blurring between local and remote assets, the use of cloud storage and networks, and all the other bits and pieces that complicate the Internet experience. In essence, yes, you gain a little bit of speed and polish here and there, but ultimately, you lose on everything else, including healthy coding practices and security along the way. Then again, the Web died around 2014 or so, and this latest incarnation is just Idiocracy 2.0.
Anyway, enough ranting for one day. Use Noscript to make your Internet less idiotic. It's not about security. That's just an added bonus. It's about blocking bullshit, and the more bullshit you block, the higher the chance the Web designers will have to reconsider their practices. Remote fonts are just one of the many problems with the modern Internet, and there's no reason to cooperate with it. Along the way, you may also reduce the risk of hax0ring your device. And we're done.
Cheers.