- FreeType is a popular open-source font rendering library used to display text and programmatically add text to images. It provides functionality to load, rasterize, and render fonts in various formats, such as TrueType (TTF), OpenType (OTF), and others.
Facebook discloses FreeType 2 flaw exploited in attacks
Facebook disclosed the flaw yesterday, warning that the vulnerability is exploitable in all versions of FreeType up to version 2.13 and that there are reports of it actively being exploited in attacks.
"An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files," reads the bulletin.
"The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer."
"The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution."
- Although the latest vulnerable version (2.13.0) dates two years, older library versions can persist in software projects for extended periods, making it important to address the flaw as soon as possible.
BleepingComputer asked Meta about the flaw and how it was exploited, and was sent the following statement.
"We report security bugs in open source software when we find them because it strengthens online security for everyone," Facebook told BleepingComputer.
"We think users expect us to keep working on ways to improve security. We remain vigilant and committed to protecting people's private communications."
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- March 12, 2025
- 03:26 PM
2024: A year of identity attacks | Get the new ebook 
Identity attacks were rampant in 2024 as attackers doubled down on identity-based TTPs. Prepare to defend your organization in 2025 by looking back at identity-based breaches in 2024.
Get a free Ebook on the most impactful identity breaches of 2024, and the attacker tooling and techniques that we can expect in 2025.
New North Korean Android spyware slips onto Google Play
A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps.
- March 12, 2025
- 01:35 PM
0
Garantex crypto exchange admin arrested while on vacation
- March 12, 2025
- 01:19 PM
- 0
Mozilla warns users to update Firefox before certificate expires
- March 12, 2025
- 11:01 AM
- 0
Microsoft patches Windows Kernel zero-day exploited since 2023
Slovak cybersecurity company ESET says a newly patched zero-day vulnerability in the Windows Win32 Kernel Subsystem has been exploited in attacks since March 2023.
- March 12, 2025
- 10:30 AM
- 0
Browser-Based Data Leaks: 3 Biggest Data Security Challenges Today
Traditional Data Loss Prevention (DLP) solutions weren't built for today's browser-driven workplace. Now sensitive data moves moves through SaaS apps, AI tools, and personal accounts, bypassing legacy security controls. Learn from Keep Aware how real-time browser security can stop data leaks before they happen.
- March 12, 2025
- 10:02 AM
- 0
Chinese cyberspies backdoor Juniper routers for stealthy access
Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
- March 12, 2025
- 10:00 AM
- 0
No comments:
Post a Comment