zlacker

[return to "Llama.ttf: A font which is also an LLM"]
1. electr+4e[view] [source] 2024-06-23 14:19:38
>>fugled+(OP)
While cool, technically… From a security perspective today I learned that TrueType fonts have arbitrary code execution as a ‘feature’ which seems mostly horrific.
◧◩
2. samwil+xe[view] [source] 2024-06-23 14:25:55
>>electr+4e
Not really, no more so than a random webpage running js/WASM in a sandbox.

The only output from the WASM is to draw to screen. There is no chance of a RCE, or data exfiltration.

◧◩◪
3. turnso+lh[view] [source] 2024-06-23 14:52:08
>>samwil+xe
The risk is that you could have the text content say one thing while the visual display says another. There are social engineering and phishing risks.
◧◩◪◨
4. alexvi+sv1[view] [source] 2024-06-24 04:04:30
>>turnso+lh
If you control the font, you control the content as well, I don't see the attack vector.
◧◩◪◨⬒
5. turnso+SW2[view] [source] 2024-06-24 16:37:41
>>alexvi+sv1
If you can trick someone into installing the font, you can now control what they read. Unfortunately a lot of hacks involve the user doing something dumb and avoidable.

If this font format is successful, then given enough time, it will become legacy. People won't be as vigilant about it, and they won't understand the internals as well. This is why TIFF-based exploits became so common 20-30 years after TIFF's heyday.

[go to top]