It's 2016 and a font file can own your computer
Libgraphite font library buggy and vulnerable in Firefox, Thunderbird, WordPad and more says Talos
Updated Cisco-owned Talos has announced a bunch of font library bugs present in apps running on Windows and Linux, affecting client and-server-side machines.
The problem is in the Libgraphite library, and means that applications using the library to load .TTF font files can inherit its vulnerabilities. All that's needed for a successful exploit, Talos writes, is that the user be tricked into running a Graphite-enabled application rendering a page with a maliciously crafted font.
Since Libgraphite is a font library, vulnerable environments aren't confined to a particular operating system. Microsoft WordPad uses it, but so do Thunderbird, Firefox, and OpenOffice (to name a few).
The post reckons that "Linux" is vulnerable, but El Reg suspects that's a misconstruction, since it's clear that the vuln is triggered by Graphite-enabled applications.
And since Libgraphite supports server-side fonts, “the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server.”
Talos describes four vulnerabilities with CVEs (common vulnerabilities and exposures) CVE-2016-1521/2/3/6.
Topping the severity list is the out-of-bounds read. The font package's authors missed checking a goto value to make sure that program variable remains within memory bounds.
“The out of bounds read causes the TTF virtual machine to execute code under control of the attacker”, Talos explains – and TTF virtual machine exploits were demonstrated by Keen Team at last year's pwn2own.
In the heap overflow bug, the malicious font can trigger a buffer overflow; there's also to denial-of-service issues arising from a NULL pointer, and a second out-of-bounds read. The latter also creates an information leak condition.
Talos says Libgraphite 2-1.2.4 is known vulnerable, has offered some suggested fixes, and has some Snort rules to catch exploits. ®
Update: The Mozilla Foundation has dropped El Reg a note to say the latest version of Firefox is not vulnerable to this bug. Always keep up with updates, readers. ®