monkeys beware font vulnerabilities in several apps

Discussion in 'Technical' started by sec_monkey, Feb 15, 2016.


Tags:
  1. sec_monkey

    sec_monkey SM Security Administrator

    monkeys beware font vulnerabilities have been discovered in several apps.

    please update your apps and software, fix should be available in the next few days.

    this is web exploitable, please limit non-essential web browsing

    a malicious font can compromise your web browser and other apps and take over your computer

    via /
     
    Last edited: Feb 15, 2016
    sec_monkey, Feb 15, 2016
    #1
    Ganado, Witch Doctor 01, ghrit and 1 other person like this.
  2. melbo

    melbo Hunter Gatherer Administrator Founding Member

    What fonts are affected?
     
    melbo, Feb 15, 2016
    #2
    Ganado likes this.
  3. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    Cisco Talos Blog: Vulnerability Spotlight: Libgraphite Font Processing Vulnerabilities

    Graphite is a package that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors. Basically Graphite’s smart fonts are just TrueType Fonts (TTF) with added extensions. The issues that Talos identified include the following:


    • An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.
    • A specially crafted font can cause a buffer overflow resulting in potential code execution.
    • An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

    In each of the situations an attacker can provide a malicious font to trigger the specified vulnerability.

    ***SNIP***

    Known Vulnerable Versions:

    Libgraphite 2-1.2.4
    Firefox 31-42
     
    DarkLight, Feb 15, 2016
    #3
    melbo likes this.
  4. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    Vulnerability in Font Processing Library Affects Linux, OpenOffice, Firefox

    This link mentions some of what is already fixed.

    UPDATE 1: Mr. Hosken from the Graphite team has confirmed to Softpedia that these issues have been fixed in Graphite 2-1.3.5.

    UPDATE 2: On February 11, 2016, Mozilla released Firefox 44.0.2 and Firefox ESR 38.6.1 that includes a fix for this issue.

    ***ETA***
    Thank you Fedora for having already made this update available and installed for me. :D
     
    DarkLight, Feb 15, 2016
    #4
    stg58 likes this.
  5. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Yep. Just pulled down latest libreoffice and ff
     
    melbo, Feb 15, 2016
    #5
  6. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    HEY! I own my own basement, thankyouverymuch.
     
    DarkLight, Feb 16, 2016
    #6
  1. sec_monkey
    Thread

    HP laptop battery recall

    HP Recalls 50,000 Lithium-Ion Laptop Batteries Over Fire Risk The recall affects batteries sold with, or as accessories for, the following...
    Thread by: sec_monkey, Jan 5, 2018, 2 replies, in forum: Technical
  2. 3M-TA3
    Thread

    EVERY Wireless Network Vulnerable!

    Fundamental flaw in WPA/WPA2 handshake...:eek::eek::eek::eek::eek: Time to pull the rest on my CAT6 Every Wi-Fi network at risk of unprecedented...
    Thread by: 3M-TA3, Oct 16, 2017, 24 replies, in forum: Technical
  3. Yard Dart
    Thread

    ShotSpotter

    There’s a secret technology in 90 US cities that listens for gunfire 24/7 [IMG] Terrell Ortiz was sitting in the passenger seat of his white...
    Thread by: Yard Dart, Oct 10, 2017, 20 replies, in forum: General Discussion
  4. Motomom34
    Thread

    Tech Q’s on computers/phones plus e-mails and text

    @DarkLight started a thread on tech security but I often see people, posting for help in the shoutbox over my computer is doing XX. We have an...
    Thread by: Motomom34, Aug 11, 2016, 12 replies, in forum: Technical
  5. DarkLight
    Thread

    Security

    Numerous times since I joined the forum we have had questions and resulting threads show up about security in many different forms. While I'm not...
    Thread by: DarkLight, Jul 3, 2016, 34 replies, in forum: Technical
  6. Motomom34
    Thread

    Spying with Apple devices

    I need tech help. I saw this done. Really cool [MEDIA] If you own Apple products or similar products maybe you can help. The reason this would...
    Thread by: Motomom34, Mar 16, 2016, 8 replies, in forum: Technical
  7. sec_monkey
    Thread

    monkeys beware. cross-platform Java malware

    Criminal gangs in Brazil are experimenting with the first malware families that are packaged as JAR files, capable of being deployed to Windows,...
    Thread by: sec_monkey, Mar 8, 2016, 5 replies, in forum: Technical
  8. sec_monkey
    Thread

    Apple users beware

    Apple users were targeted in the first known Mac ransomware campaign. Hackers targeted Transmission, which is one of the most popular Mac...
    Thread by: sec_monkey, Mar 7, 2016, 2 replies, in forum: Technical
  9. melbo
    Thread

    Recently bought a Windows computer? Microsoft probably has your encryption key

    ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case...
    Thread by: melbo, Jan 18, 2016, 16 replies, in forum: Technical
  10. melbo
    Thread

    Network cable heat shrink labels

    Anyone have one of these printers? I want to label some things in my network cabinet and only need 10 or so printed. [ATTACH]
    Thread by: melbo, Jan 17, 2016, 22 replies, in forum: Technical
  11. sec_monkey
    Thread

    Monkeys beware Critical vulnerability in XZERES 442SR wind turbines

    A critical vulnerability (score 9.8 out of 10) has been discovered in Internet-enabled XZERES 442SR wind turbines. XZERES 442SR Wind Turbine...
    Thread by: sec_monkey, Dec 9, 2015, 0 replies, in forum: Off Grid Living
  12. sec_monkey
    Thread

    Monkeys beware Millions of Smart TVs, Phones and Routers At Risk

    Adding fuel to the growing concern over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge...
    Thread by: sec_monkey, Dec 5, 2015, 12 replies, in forum: Technical
  13. sec_monkey
    Thread

    Monkeys Beware: New zero-day exploit hits fully patched Adobe Flash

    New zero-day exploit hits fully patched Adobe Flash | Ars Technica best solution uninstall Adobe Flash 2nd best solution disable Adobe Flash or...
    Thread by: sec_monkey, Oct 14, 2015, 6 replies, in forum: Technical
survivalmonkey SSL seal        survivalmonkey.com warrant canary
17282WuJHksJ9798f34razfKbPATqTq9E7