monkeys beware font vulnerabilities in several apps

Discussion in 'Technical' started by sec_monkey, Feb 15, 2016.


Tags:
  1. sec_monkey

    sec_monkey SM Security Administrator

    monkeys beware font vulnerabilities have been discovered in several apps.

    please update your apps and software, fix should be available in the next few days.

    this is web exploitable, please limit non-essential web browsing

    a malicious font can compromise your web browser and other apps and take over your computer

    via /
     
    Last edited: Feb 15, 2016
  2. melbo

    melbo Hunter Gatherer Administrator Founding Member

    What fonts are affected?
     
    Ganado likes this.
  3. DarkLight

    DarkLight I self identify as a Blackhawk Attack Helicopter! Site Supporter

    Cisco Talos Blog: Vulnerability Spotlight: Libgraphite Font Processing Vulnerabilities

    Graphite is a package that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors. Basically Graphite’s smart fonts are just TrueType Fonts (TTF) with added extensions. The issues that Talos identified include the following:


    • An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.
    • A specially crafted font can cause a buffer overflow resulting in potential code execution.
    • An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

    In each of the situations an attacker can provide a malicious font to trigger the specified vulnerability.

    ***SNIP***

    Known Vulnerable Versions:

    Libgraphite 2-1.2.4
    Firefox 31-42
     
    melbo likes this.
  4. DarkLight

    DarkLight I self identify as a Blackhawk Attack Helicopter! Site Supporter

    Vulnerability in Font Processing Library Affects Linux, OpenOffice, Firefox

    This link mentions some of what is already fixed.

    UPDATE 1: Mr. Hosken from the Graphite team has confirmed to Softpedia that these issues have been fixed in Graphite 2-1.3.5.

    UPDATE 2: On February 11, 2016, Mozilla released Firefox 44.0.2 and Firefox ESR 38.6.1 that includes a fix for this issue.

    ***ETA***
    Thank you Fedora for having already made this update available and installed for me. :D
     
    stg58 likes this.
  5. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Yep. Just pulled down latest libreoffice and ff
     
  6. stg58

    stg58 Monkey+++ Site Supporter+ Founding Member

    It is somewhat annoying to see auto updates but the Linux boys and girls living in their mothers basement are usually ahead of me..:)








    L
     
  7. DarkLight

    DarkLight I self identify as a Blackhawk Attack Helicopter! Site Supporter

    HEY! I own my own basement, thankyouverymuch.
     
  1. Motomom34
  2. DarkLight
  3. Motomom34
  4. sec_monkey
  5. sec_monkey
  6. stg58
  7. melbo
  8. melbo
  9. sec_monkey
  10. sec_monkey
  11. sec_monkey
survivalmonkey SSL seal        survivalmonkey.com warrant canary
17282WuJHksJ9798f34razfKbPATqTq9E7