Who knew that unzipping a font archive could unleash a malicious file
The researchers were able to construct a simple proof of concept in the form of a shell execution that allowed FontForge to open files to which it shouldn't have access – which is bad.
"The filename comes from the ArchiveParseTOC function, which means we can create an archive containing a malicious filename, bypassing traditional filename sanitization techniques, and triggering our exploit."
このニュースをすぐに読めるように要約しました。ニュースに興味がある場合は、ここで全文を読むことができます。 続きを読む: