I worked on font parsing at one point. Indeed, the font rendering libraries are fragile and the formats complex and poorly documented.<p>This is a case of something being initially designed without security in mind, because fonts were something you bought and installed on your computer like applications. Suddenly, fonts were being automatically downloaded and rendered on web pages.<p>Auditing font libraries is hard, because you need combined expertise in security and font rendering (which is deeply intricate, especially with full non-Western writing system support.) I expect to see more vulnerabilities here.
Do these vulnerabilities suggest that attackers can gain access to your machine by sending an evil font to your browser? I wish this was getting more press/discussion.
Browser vendors / web standards continue to expand the set of functionality that a browser provides. Each time they do so, they increase the attack surface.