The Compact Font Format (CFont) was developed by Adobe and it is a container for one or more fonts. Although not compressed, it’s a format designed to save space as the name suggests.
The bytecode contained in CFonts is either Type1 or Type2, both very similar and supported by the Profiler, although nothing prevents from storing another type of bytecode.
The support of this font format also improves the support for OpenType fonts, because these fonts can store glyph outlines in a CFF table, rather than in a glyf table such as TrueType fonts. CFF tables contain Compact Fonts.
In this last screenshot we can see an example of font detection inside of a PDF.
We’re happy to announce that the new 0.7.5 version of the Profiler offers support for TrueType (SFNT) fonts. This is the first step in the direction of giving our users a complete solution for font formats and analyze them inside documents. The recent threat landscape has seen the rise of fonts as an infection vector. Two notable examples are Duqu and the iOS 4.3 jailbreak.
In the screenshot above we see several TrueType fonts being analyzed inside of a PDF document.
One of the offered features is the capability to output the code contained in a TrueType font. While this feature can’t be used to establish the risk factor of a font at glance, it is useful to security analysts.
Functions are associated with their glyph name, in order to more easily establish which instructions are associated to a particular character.
The report also shows the metadata, which doesn’t offer any kind of security assurance, but might be of interest to the user.
As with every file type supported by the Profiler it is possible to inspect the format of TrueType and TrueType Collections fonts as well.
The screenshot above shows the format of a TrueType collection. Collections host more than one font and every one of them can be analyzed.
It should be noted that TrueType fonts are hosted in a format called SFont. SFonts can also host other font types. An example of this scenario are OpenType fonts by Microsoft, which can be TrueType compatible but go beyond the TrueType format. While the current support for TrueType also allows to inspect OpenType fonts, it is our intent in the near future to cover OpenType fonts in detail.
More updates related to fonts should soon be available. So, as usual, stay tuned. 🙂