We’re happy to announce that the new 0.7.5 version of the Profiler offers support for TrueType (SFNT) fonts. This is the first step in the direction of giving our users a complete solution for font formats and analyze them inside documents. The recent threat landscape has seen the rise of fonts as an infection vector. Two notable examples are Duqu and the iOS 4.3 jailbreak.
In the screenshot above we see several TrueType fonts being analyzed inside of a PDF document.
One of the offered features is the capability to output the code contained in a TrueType font. While this feature can’t be used to establish the risk factor of a font at glance, it is useful to security analysts.
Functions are associated with their glyph name, in order to more easily establish which instructions are associated to a particular character.
The report also shows the metadata, which doesn’t offer any kind of security assurance, but might be of interest to the user.
As with every file type supported by the Profiler it is possible to inspect the format of TrueType and TrueType Collections fonts as well.
The screenshot above shows the format of a TrueType collection. Collections host more than one font and every one of them can be analyzed.
It should be noted that TrueType fonts are hosted in a format called SFont. SFonts can also host other font types. An example of this scenario are OpenType fonts by Microsoft, which can be TrueType compatible but go beyond the TrueType format. While the current support for TrueType also allows to inspect OpenType fonts, it is our intent in the near future to cover OpenType fonts in detail.
More updates related to fonts should soon be available. So, as usual, stay tuned. :)