I was looking around for information on this and couldn't really find anything that solid. I used the TTX tool in the fonttools library to decompile the font into XML format but couldn't garner anything from the file.
Is it possible that TrueType Font could contain executable code that could be potentially malicious?
According to the Wikipedia entry on TrueType, a hinting language is used during rendering. This hinting language is processed by a virtual machine, but it allows opportunities for malicious hinting code to take advantage of vulnerabilities in various implementations of that virtual machine.
Note that bad non-executed data can cause buffer overflows and allow code to be executed where it shouldn't, so the fact that a data format doesn't contain any type of executable or virtually executable code doesn't mean there aren't vulnerabilities that can result in remote code execution.
Well... not directly, but very definitely indirectly.
There is a type of malware payload that builds the actual bytes of its executable using a code file that is already present on the target system. That pre-existing code file has to be exactly the same on each system that is to be infected. The only code in the supplied malware is the code that assembles the bytes, by knowing the position, byte for byte, of the code to be built.
For example, if the code file has the byte 0xF3 at position 105, and the next byte needed to assemble to malicious code is 0xF3, what is encoded with the building malware is "105", and it knows to get actual code byte from the file.
So, what file is the same on most/all Windows system, for example? It turns out, the Wingdings font file hasn't changed in Windows, going back as far as any modern-ish system is going to have.
And I didn't dream this up - it's all described here, with code examples..
Definitively YES. The link (and linked links) says that TrueType fonts are designed to contain code for a virtual machine, that in some (most) versions of Windows the code was executed (by the virtual machine) in the kernel context. The use of virtual machine should isolate the font code from the rest of the machine but there were vulnerabilities identified.
My view is overall negative, but to give a positive bit, I cite (from the referred page) that "Windows 10 Aniversary Update now parses fonts in USER mode'', so the superuser could be relatively safe, in the sense that if the fonts are used only by users without privileges, the operating system is not directly exposed to the font. But I do not promise any security :-)
