IE4 font security flaw (fwd)

Rohit Khare (
Thu, 23 Oct 1997 18:11:39 -0400 (EDT)

[Gang, I don't know about the veracity of the claims, but he is
correct that it's the *small* font vendor's largest fear. A giant
vendor has far fewer qualms about handing out free tokes.=20

His column, at the url below, has abit more explanation of why this
sucks, and how it screws publishers who have already been selling
fonts without the 'no embedding' bit set. From a meta-security
perspective, MS changed the rules by moving policy from the font
interpreter to the font publisher, which sounds good, but flips the
decisions of those affected.

Daniel's credentials seem pretty reasonable -- he was a founder of=20
TypeRight, an IPR advocacy group for fonts. RK]

Forwarded message:

From: "Daniel Will-Harris" <>
To: <>
Date: Thu, 23 Oct 1997 14:13:10 -0700
Message-ID: <01bcdff8$7770dce0$244204c7@dwh>
Subject: IE4 font security flaw

Font foundries and designers have been vocal in their fear of font embedd=
on the web, and now it seems their fears were well-founded, at least in t=
case of Microsoft=92s new browser, Internet Explorer 4. The browser=92s n=
OpenType font embedding feature has a fatal security flaw that makes it e=
for any user, even those without technical knowledge, to capture embedded
fonts from a web site and install them into their system for use with all
their software. No one other than myself has yet uncovered the simple ste=
to do so and I will not reveal the steps here, because I don=92t want peo=
pirating fonts.

Microsoft knows about the problem and has stated it will do nothing to
correct it.

With over 2 million copies of IE4 distributed in the past two weeks alone=
IE4=92s font embedding may not adequately address the protection of the
intellectual property rights of font designers and foundries.

You can read the details at

]) /\ |\| | (- |_
Home of EsperFonto
Read my new Opinion Column at