{"id":24896,"date":"2025-11-12T12:03:34","date_gmt":"2025-11-12T17:03:34","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/canon-ttf-vulnerability-printer-risk\/24896\/"},"modified":"2025-11-18T21:03:04","modified_gmt":"2025-11-18T17:03:04","slug":"canon-ttf-vulnerability-printer-risk","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/canon-ttf-vulnerability-printer-risk\/24896\/","title":{"rendered":"Printers attacked by… fonts"},"content":{"rendered":"

These days, attackers probing an organization\u2019s infrastructure rarely come across the luxury of a workstation without an EDR agent<\/a>, so malicious actors are focusing on compromising servers, or various specialized devices connected to the network with fairly broad access privileges yet lacking EDR protection and often even logging capabilities. We\u2019ve previously written in detail about the types of vulnerable office devices<\/a>. Real-world attacks in 2025 are focused on network devices (such as VPN gateways, firewalls, and routers), video surveillance systems, and the servers themselves. But printers shouldn\u2019t be overlooked either, as independent researcher Peter Geissler reminded the audience at the Security Analyst Summit 2025<\/a>. He described a vulnerability he\u2019d found in Canon printers (CVE-2024-12649<\/a>, CVSS 9.8), which allows executing malicious code on these devices. And the most interesting aspect regarding this vulnerability is that exploiting it merely requires sending an innocent-looking file to print.<\/p>\n

Trojan Type Font: an attack via CVE-2024-12649<\/h2>\n

The attack begins with sending an XPS file to print. This format, created by Microsoft, contains all the prerequisites for successful document printing, and serves as an alternative to PDF. XPS is essentially a ZIP archive containing a detailed description of the document, all its images, and the fonts used. The fonts are usually stored in the popular TTF (TrueType Font) format invented by Apple. And it\u2019s precisely the font itself \u2014 something not typically perceived as dangerous \u2014 that contains the malicious code.<\/p>\n

The TTF format was designed to both make letters look identical on any medium, and scale correctly to any size \u2014 from the smallest character on a screen to the largest on a printed poster. To achieve this goal, each letter can have font hinting<\/a> instructions written for it, which describe the nuances of displaying letters of small sizes. Hinting instructions are essentially commands for a compact virtual machine which, despite its simplicity, supports all the basic building blocks of programming: memory management, jumps, and branching. Geissler and his colleagues studied how this virtual machine is implemented in Canon printers. They discovered that some TTF hinting instructions are executed insecurely<\/a>. For example, the virtual machine commands that manage the stack don\u2019t check for overflow.<\/p>\n

As a result, they succeeded in creating a malicious font. When a document containing it is printed on certain Canon printers, it causes a stack buffer overflow, writes data beyond the virtual machine\u2019s buffers, and ultimately achieves code execution on the printer\u2019s processor. The entire attack is conducted via the TTF file; the rest of the XPS file content is benign. In fact, detecting the malicious code even within the TTF file is quite difficult: it\u2019s not very long, the first part consists of TTF virtual machine instructions, and the second part runs on the exotic, proprietary Canon operating system (DryOS).<\/p>\n

It should be noted that in recent years Canon has focused on securing printer firmware. For example, it uses DACR<\/a> registers and NX (no-execute) flags supported in ARM processors to limit the ability to modify system code or execute code in memory fragments intended solely for data storage. Despite these efforts, the overall DryOS architecture doesn\u2019t allow for effective implementation of memory protection mechanisms, such as ASLR<\/a> or stack canary<\/a>, which are typical of larger modern operating systems. This is why researchers occasionally find ways to bypass the existing protection. For instance, in the attack we\u2019re talking about, the malicious code was successfully executed by placing it, via the TTF trick, into a memory buffer intended for a different printing protocol \u2014 IPP.<\/p>\n

Realistic exploitation scenario<\/h2>\n

In their bulletin<\/a> describing the vulnerability, Canon asserts that the vulnerability can be exploited remotely if the printer is accessible via the internet. Consequently, they suggest configuring a firewall so the printer can only be used from the internal office network. While this is good advice and the printer should indeed be removed from public access, this isn\u2019t the only attack scenario.<\/p>\n

In his report, Peter Geissler pointed to a much more realistic, hybrid scenario in which the attacker sends an employee an attachment in an email or a messenger message and, under one pretext or another, suggests they print it. If the victim does send the document to print \u2014 within the internal organization network and without any internet exposure \u2014 the malicious code is executed on the printer. Naturally, the capabilities of the malware when running on the printer will be limited compared to malware that\u2019s infected a full-fledged computer. However, it could, for example, create a tunnel by establishing a connection to the attacker\u2019s server \u2014 allowing the attackers to target other computers in the organization. Another potential use case for this malware on the printer could result in the forwarding of all information being printed at the company directly to the attacker\u2019s server. In certain organizations, such as law firms, this could lead to a critical data breach.<\/p>\n

How to fend off this printer threat<\/h2>\n

The vulnerability CVE-2024-12649 and several closely related defects can be eliminated by installing the printer firmware update according to Canon\u2019s instructions<\/a>. Unfortunately, many organizations \u2014 even those that diligently update software on computers and servers \u2014 lack a systematic process for updating printer firmware. The process must be implemented for all equipment connected to the computer network.<\/p>\n

However, security researchers emphasize that there\u2019s a multitude of attack vectors targeting specialized equipment. Therefore, there\u2019s no guarantee that attackers won\u2019t arm themselves tomorrow with a similar exploit unknown to printer manufacturers or their customers. To minimize the risk of exploitation:<\/p>\n