Four vulnerabilities in the Graphite (or libgraphite) font processing library allow attackers to compromise machines by supplying them with malicious fonts.
In its description, Graphite's authors describe the library as a tool capable of creating "smart fonts" that can display dynamic glyphs for showing complex writing systems.
Many applications use Graphite, and among them are Firefox, Pale Moon, Thunderbird, OpenOffice, LibreOffice, and WorldPad, but the library is also used in many Linux distros. According to an advisory put out by the Cisco Talos security team, this library includes four vulnerabilities. The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system and even execute arbitrary code on the machine. While you may think a bug in a library you've never heard of may be easy to ignore, you couldn't be further from the truth.
Taking into account that Graphite has been included by default in Firefox since version 11, released on March 13, 2012, the library opens a wide target for attackers to exploit. Cisco says that by tinkering with Graphite-enabled fonts, hosting them on a server and delivering the malformed fonts to users inside the CSS of a malicious Web page, an attacker could weaponize their exploit without requiring any type of interaction on the user's part.
Firefox and one malicious font can compromise your computer
Users don't even have to click on the attacker's links and can be forced to access the malicious Web page hosting weaponized Graphite-enabled fonts via hidden redirects, often used by malvertising campaigns. Once the user reaches a page delivering malicious Graphite-enabled fonts, the vulnerability allows the attacker to get a foothold on the user's system.
Additionally, packing an exploit into a trojan would also allow classic malware to leverage this vulnerability against desktop software like OpenOffice and LibreOffice, and Linux distros that use it to display fonts. Besides the out-of-bounds issue, Cisco has also discovered a buffer overflow issue that led to remote code execution (CVE-2016-1523) and two DoS (Denial of Service) issues, but not as severe as the first two.
Researchers say they tested only Libgraphite 2-1.2.4 and Firefox 31 in their inquiries, but technically, other versions may also be vulnerable. In their threat advisory, the Cisco team does not mention if the Graphite team fixed these issues after their report, but the Graphite team released Libgraphite 2-1.3.5 at the start of January, which their changelog says contains a security bug fix. Experts have contacted the Graphite team for more details. We'll update the post with info about what version fixed the Cisco-reported issues when we have it.
110 Reykjavik, Iceland