Fontmageddon? Windows security patch KB2753842 of Dec 11 (fixed!) »
OpenType / PostScript font support killed in many apps (FIXED Dec 20, 2012)
(UPDATED repeatedly, first with more details and then because of the Dec 20 fix.)
Was it Fontmageddon? For users who use fonts in some applications (see below), Windows security update KB2753842 of Dec 11, 2012, caused more harm than good. Luckily MS got it fixed and re-released it nine days later. The current version of the patch does NOT have the problem, and can be installed over the original release to fix the problem caused by the original.
Kudos to Microsoft for fixing it quickly and including interested outside parties in testing it. I was able to seed Extensis tech support manager Romeo Fahl with the fixed patch, so we participated in helping verify it worked.
WHAT THE BAD PATCH DID
(1) installing the update breaks some very tiny number of fonts at the system level and for all apps, including potentially malicious fonts. That’s what it was supposed to do. BUT ALSO….
(2) with the original version of the update, for certain apps text set in all PostScript Type 1 (.pfb/.pfm) and OpenType CFF (.oft) fonts became invisible. This can even affect font menus when the app has a WYSIWYG font menu.
FIXING THE PROBLEM
Installing the revised version (2.0) of the patch from Microsoft will fix the problem caused by the original release.
If your computer is part of a domain administered centrally by an IT team, you should alert them that the issue is fixed, so they can decide whether to roll it out now that the patch is safer.
PROGRAMMER DETAILS
The apps that were especially affected are those that use the GetGlyphOutline() API to grab font outlines of PostScript fonts (both Type 1 pfb/pfm fonts, and OpenType CFF .otf fonts). With the bad version of the patch, that API no longer returned the memory size needed to get the curves, but instead returned a bogus value of zero. This effectively renders some apps unable to render the glyph on screen. At least, at 15 points and higher.
I gather there are other APIs apps can use, but that GetGlyphOutline() works all the way back to XP, unlike the alternatives.
AFFECTED OS VERSIONS AND SOFTWARE
I strongly suspect that in many more applications than those listed, “convert to curves” functions will fail or result in lost text. I also suspect that in most cases where a current version of an application is affected, so are older versions not listed. What we know is that affected OSes and apps included:
- Windows: All desktop and server versions of Windows from XP to Windows 8, it seems.
- PowerPoint, but only in presentation mode (an especially dangerous failure, as a user might think things were fine… until they tried to do an actual presentation)
- QuarkXPress 7, 8, 9.5 (but only affects fonts at 15 pts and larger)
- CorelDRAW X3 to X6. Workaround: view in “draft” mode works because it does not use the problematic API.
- Serif PagePlus
- Adobe Flash (authoring at least, probably not the running of Flash apps?)
- Flexi and SignLab (signmaking apps)
- Avid Marquee (video titling)
- Bentley MicroStation (CAD / information modeling)
- The Secret World (Alternate Reality Game)
- Inkscape (vector drawing)
- Xara Designer Pro X (vector drawing) and possibly other Xara apps
MICROSOFT RESPONSE
The MS Knowledgebase article has a standard section for “known issues.” On Friday Dec 14, 2012, Microsoft updated it to read: “We are aware of issues related to OpenType Font (OTF) rendering in applications such as PowerPoint on affected versions of Windows that occur after this security update is applied. We are currently investigating these issues and will take appropriate action to address the known issues.”
On Thursday, Dec 20, 2012, Microsoft released version 2.0 of the patch that fixes the problems in the original. The “known issues” section now reads: “The original version of security update 2753842 had an issue related to OpenType Font (OTF) rendering in applications such as PowerPoint on affected versions of Windows. This issue was resolved in the version of this security update that was rereleased on December 20, 2012.”