Is there a security risk by adding .eot file to the IgnoreExt ACO?

Document ID : KB000045613
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

EOT stands for Embedded OpenType Font. It allows the fonts used in the creation of a document to travel with that document, ensuring that a user sees documents exactly as the designer intended. In particular, Internet Explorer and Microsoft Office make use of this file type.

The Single Sign-On(SSO) IgnoreExt Agent Configuration Object(ACO) parameter specifies the types of resource requests that the Web Agent passes to the web server without checking access policies. The Web Agent allows access to the items with extensions specified by this parameter even if they exist in a realm that is protected by a policy.

Requests for resources that meet either of the following conditions may be ignored:

  • The resource ends in one of the extensions that you configure the Web Agent to ignore.
  • The URI of the protected resource contains a single period (.). 

Question: 

Is there a security risk by adding .eot file extension to the IgnoreExt ACO?

Environment:  

ALL

Answer: 

The risk associated by adding the .eot extension to the IgnoreExt ACO is very limited. Known risks associated to this file have to do with the contents of the file being maliciously modified. Whether or not this particular extension was SSO protected would not prevent a malicious redirection or code execution from occurring.

Additional Information:

https://en.wikipedia.org/wiki/Embedded_OpenType#Security_issues

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1883