Can TrueType Fonts contain malicious code?
I was looking around for information on this and couldn't really find anything that solid. I used the TTX tool in the fonttools library to decompile the font into XML format but couldn't garner anything from the file.
Is it possible that TrueType Font could contain executable code that could be potentially malicious?
According to the Wikipedia entry on TrueType, a hinting language is used during rendering. This hinting language is processed by a virtual machine, but it allows opportunities for malicious hinting code to take advantage of vulnerabilities in various implementations of that virtual machine.
Note that bad non-executed data can cause buffer overflows and allow code to be executed where it shouldn't, so the fact that a data format doesn't contain any type of executable or virtually executable code doesn't mean there aren't vulnerabilities that can result in remote code execution.
Well... not directly, but very definitely indirectly.
There is a type of malware payload that builds the actual bytes of its executable using a code file that is already present on the target system. That pre-existing code file has to be exactly the same on each system that is to be infected. The only code in the supplied malware is the code that assembles the bytes, by knowing the position, byte for byte, of the code to be built.
For example, if the code file has the byte 0xF3 at position 105, and the next byte needed to assemble to malicious code is 0xF3, what is encoded with the building malware is "105", and it knows to get actual code byte from the file.
So, what file is the same on most/all Windows system, for example? It turns out, the Wingdings font file hasn't changed in Windows, going back as far as any modern-ish system is going to have.
And I didn't dream this up - it's all described here, with code examples..