6 Indium

Graphite Font Vulnerability in Firefox, PaleMoon, WordPad, Open/LibreOffice, and Linux

Four vulnerabilities in the Graphite (or libgraphite) font processing library allow attackers to compromise machines by supplying them with malicious fonts...

The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system and even execute arbitrary code on the machine...

Users don't even have to click on the attacker's links and can be forced to access the malicious Web page hosting weaponized Graphite-enabled fonts via hidden redirects, often used by malvertising campaigns.

Researchers say they tested only Libgraphite 2-1.2.4... [and Softpedia has confirmed that] these issues have been fixed in Graphite 2-1.3.5.


Remark:  It is unclear to me how one determines what version of (lib)graphite they have/are running on their system? And if it's the vulnerable one, how one updates to the newer version?...
Or is this something that THEY (automatically) update at the server-end??


(With acknowledgment to Minimalist for posting at Wilders)

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware

Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.

[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos