Heads up, Google Chrome users: Patch your browsers if you can, because there's a security flaw that is currently being used in active attacks.
The flaw is in the FreeType font library that underlies Chrome and all Chromium-based browsers, including Brave, the new Microsoft Edge, Opera, Vivaldi and dozens of others.
It's pretty serious, since Chrome is embedding the fonts in websites. Studies show that in some cases, the tip of the iceberg is filled with attacks websites will launch onto the Web browser if the system (especially if it's not upgraded via a quick patching process) draws in IP addresses of malicious servers.
When the fonts in question are libre and freely-available, when the library FreeType2.dll is freely available like license Chrome, Kin Fast (], John Faucet), Ahmed Aziz, Hans Klaming and others've reported that the service hasn't been patched for quite a while.
Google has reached out to a few prominent security sources to advertise FreeType being used in active attacks, for example Endgame. Now, Good Security Group in RSA Labs is reporting that this issue has been escalated to Google Accessibility Lead Counting from a recent report from BleepingComputer that Google responded to the Bleeping Computer report with a Google Accessibility project. Their explanation?
"we've updated the doc elsewhere with links for reporting."
That's great – but it sounds as if these people haven't been thorough in their research and work. No matter who responded to Bleeping Computer was told that the security reported in question wasn't a critical flaw being experienced by the general public. In fact, Remi Brulin, the leader at Blimmun by Messis & Gunn, has been following the issue for a while and suggested that the reports readers receive from readers identifying CVE-2017-10223 from various companies were maybe taken out of context – in the U.S. at least.
"Web browsers are not actually taking those exploits offline," he tweeted. "No system has been blocked for migration, no domains have been restricted to act as mitigation proxies, no one is violating this category of Statement of Compliance."
Google signed the Statement of Compliance for the Web browser instead of the Call for Contribution meant for contributors supervised by the attackers in Bleeping(note: [URL%2565%2570%2573%2575] and [URL%2565%2572%2576%2577%2578])
Since February, Google has helped protect against more than 10,000 attacks attackers attempted – with a doggy snowball operation of sorts. On Internet Explorer, Google was busy generating and analyze traffic for DNS poisoning attacks and cannon fire against saving datastores and password credentials of users with the bad intentions to steal Android Pay credit cards
The flaw is in the FreeType font library that underlies Chrome and all Chromium-based browsers, including Brave, the new Microsoft Edge, Opera, Vivaldi and dozens of others.
It's pretty serious, since Chrome is embedding the fonts in websites. Studies show that in some cases, the tip of the iceberg is filled with attacks websites will launch onto the Web browser if the system (especially if it's not upgraded via a quick patching process) draws in IP addresses of malicious servers.
When the fonts in question are libre and freely-available, when the library FreeType2.dll is freely available like license Chrome, Kin Fast (], John Faucet), Ahmed Aziz, Hans Klaming and others've reported that the service hasn't been patched for quite a while.
Google has reached out to a few prominent security sources to advertise FreeType being used in active attacks, for example Endgame. Now, Good Security Group in RSA Labs is reporting that this issue has been escalated to Google Accessibility Lead Counting from a recent report from BleepingComputer that Google responded to the Bleeping Computer report with a Google Accessibility project. Their explanation?
"we've updated the doc elsewhere with links for reporting."
That's great – but it sounds as if these people haven't been thorough in their research and work. No matter who responded to Bleeping Computer was told that the security reported in question wasn't a critical flaw being experienced by the general public. In fact, Remi Brulin, the leader at Blimmun by Messis & Gunn, has been following the issue for a while and suggested that the reports readers receive from readers identifying CVE-2017-10223 from various companies were maybe taken out of context – in the U.S. at least.
"Web browsers are not actually taking those exploits offline," he tweeted. "No system has been blocked for migration, no domains have been restricted to act as mitigation proxies, no one is violating this category of Statement of Compliance."
Google signed the Statement of Compliance for the Web browser instead of the Call for Contribution meant for contributors supervised by the attackers in Bleeping(note: [URL%2565%2570%2573%2575] and [URL%2565%2572%2576%2577%2578])
Since February, Google has helped protect against more than 10,000 attacks attackers attempted – with a doggy snowball operation of sorts. On Internet Explorer, Google was busy generating and analyze traffic for DNS poisoning attacks and cannon fire against saving datastores and password credentials of users with the bad intentions to steal Android Pay credit cards
g
