Phinney on Fonts About Thomas & the blog Phinney on Fonts main page

Picture of ThomasThomas “my other car is a sans serif” Phinney on fonts, typography & text. Geeky troubleshooting and info for font developers and users. Consulting & expert witness for fonts & typography.Read more...


« Fontmageddon? Windows security patch KB2753842 of Dec 11 (fixed!)

OpenType /​ PostScript font support killed in many apps (FIXED Dec 20, 2012)

(UPDATED repeatedly, first with more details and then because of the Dec 20 fix.)

Was it Fontmageddon? For users who use fonts in some applications (see below), Windows security update KB2753842 of Dec 11, 2012, caused more harm than good. Luckily MS got it fixed and re-​​released it nine days later. The current version of the patch does NOT have the problem, and can be installed over the original release to fix the problem caused by the original.

Kudos to Microsoft for fixing it quickly and including interested outside parties in testing it. I was able to seed Extensis tech support manager Romeo Fahl with the fixed patch, so we participated in helping verify it worked.

WHAT THE BAD PATCH DID

(1) installing the update breaks some very tiny number of fonts at the system level and for all apps, including potentially malicious fonts. That’s what it was supposed to do. BUT ALSO….

(2) with the original version of the update, for certain apps text set in all PostScript Type 1 (.pfb/.pfm) and OpenType CFF (.oft) fonts became invisible. This can even affect font menus when the app has a WYSIWYG font menu.

FIXING THE PROBLEM

Installing the revised version (2.0) of the patch from Microsoft will fix the problem caused by the original release.

If your computer is part of a domain administered centrally by an IT team, you should alert them that the issue is fixed, so they can decide whether to roll it out now that the patch is safer.

 

PROGRAMMER DETAILS

The apps that were especially affected are those that use the GetGlyphOutline() API to grab font outlines of PostScript fonts (both Type 1 pfb/​pfm fonts, and OpenType CFF .otf fonts). With the bad version of the patch, that API no longer returned the memory size needed to get the curves, but instead returned a bogus value of zero. This effectively renders some apps unable to render the glyph on screen. At least, at 15 points and higher.
I gather there are other APIs apps can use, but that GetGlyphOutline() works all the way back to XP, unlike the alternatives.

AFFECTED OS VERSIONS AND SOFTWARE

I strongly suspect that in many more applications than those listed, “convert to curves” functions will fail or result in lost text. I also suspect that in most cases where a current version of an application is affected, so are older versions not listed. What we know is that affected OSes and apps included:

MICROSOFT RESPONSE
The MS Knowledgebase article has a standard section for “known issues.” On Friday Dec 14, 2012, Microsoft updated it to read: “We are aware of issues related to OpenType Font (OTF) rendering in applications such as PowerPoint on affected versions of Windows that occur after this security update is applied. We are currently investigating these issues and will take appropriate action to address the known issues.”
On Thursday, Dec 20, 2012, Microsoft released version 2.0 of the patch that fixes the problems in the original. The “known issues” section now reads: “The original version of security update 2753842 had an issue related to OpenType Font (OTF) rendering in applications such as PowerPoint on affected versions of Windows. This issue was resolved in the version of this security update that was rereleased on December 20, 2012.”

4 commentsto “Fontmageddon? Windows security patch KB2753842 of Dec 11 (fixed!)”

  • December 19, 2012
    Graham Hannington wrote

    Thank you for your detailed blog post. This issue hit me today in CorelDRAW X6 on Windows 7. I’ve uninstalled the update (or rather, as you suggested, I alerted my IT support, who removed this update from the update server; then I restarted my PC, and the server automatically uninstalled the update for me). Back to normal.

  • December 19, 2012
    Ben Owens wrote

    Here’s some details on script removal via Group Policy….

    http://www.teamas.co.uk/2012/12/windows-security-update-kb2753842.html

  • April 7, 2013
    Eric wrote

    I’m not sure exactly why but this site is loading incredibly slow for me. Is anyone else having this issue or is it a problem on my end? I’ll check back later and see if the
    problem still exists.

Leave a comment

Type News: WOFF! (There It Is) | Uber Patrol - The Definitive Cool Guide