Security researchers have found vulnerabilities in Graphite, also known as Libgraphite font processing library, that affects a number of systems. The vulnerabilities, if exploited, allow an attacker to seed malicious fonts to a machine. The Libgraphite library is utilised by Linux, Thunderbird, WordPad, Firefox, OpenOffice, as well as several other major platforms and applications.
Security researchers from Cisco have posted an advisory to outline four vulnerabilities in the Libgraphite font processing library. One of the vulnerabilities allows the attackers to execute arbitrary code on the machine, and among other things, crash the system.
Two of the vulnerabilities can result in denial of service situations. "An attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities," the team wrote in a blog post.
The vulnerabilities impact older versions of Firefox (not v43 and v44) and many other aforementioned apps and services that support Graphite. "Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts)" To recall, Firefox included Graphite by default in 2012.
Besides the large range of devices that are impacted, the vulnerabilities are also concerning because it is quite easy for attackers to get hold of a machine. A user can unknowingly visit a malicious website and get affected. Mozilla, and various Linux distributions are yet to address the issue.
Update: In an emailed statement to Gadgets 360, Dan Veditz, Principal Security Engineer at Mozilla, said, "The current general available release of Firefox is not affected by the Libgraphite font vulnerability. Users should always make sure to update to the latest version of Firefox for the most-recent security updates and features by going to https://www.mozilla.org/firefox."