Heads up, Google Chrome users: Patch your browsers if you can, because there's a security flaw that is currently being used in active attacks.

The flaw is in the FreeType font library that underlies Chrome and all Chromium-based browsers, including Brave, the new Microsoft Edge, Opera, Vivaldi and dozens of others. When freeType ingests fonts without a feed-forward or extraneous light weight optimizer, which is enforced by Google as weak or back-end fonts, any future downloads of those fonts will bypass Google servers and install the fonts directly into our browsers, resulting in current and future attacks (hacks).

FreeType has so far patched all four of the major browsers that can be affected, however, the vulnerability bodes ill for other browsers, which could be conditioned by the same bug.

[UPDATE] Mozilla fixes 'weak X fonts' vulnerability, Google 'flappy-bootie'. Two cables now flash.

Many articles in the last week have detailed the inherent security flaws in custom web font loading systems, especially in light weight optimizers (a.k.a. light preprocessors, 3-D-optimizations or lose for loss) and specifically how their implementation in Firefox and Chrome became the source of all evil. Here is an informative post by Shai Halevi, who went to great pains to elicit the most dangerous byte of information possible:

In Firefox, Chrome, Opera, and other browsers, when a font loads on the web page (e.g. "Font loaded") it first has to get to the formatter, called sanitizeFont() .



We have seen evidence of a sanitizeFont() vulnerability being used in the wild to install malware into affected systems. This allows the attacker to pass the encoded bytes of a font download direct to the browser and allows it to load the file and inject malware into the Firefox user's browser and, plumb it with software that is installed to include the malicious code and trojanize the entire system.

Having sniffed out FreeType codec data at a compromised formatter, false positives of fonts render, with malware + additions from web-based spreaders, for example, Flash, Java or .hta-files.

https://www.e-spot.com/safecracker/images/redaction?upload_form=69&Type=data&VideoID=1016364990

A string that ensures such all of malware seems to come from the same place: the Google search engine. When people search the browser named "Firefox", usually a suspicious forgery including such strings appear, including:

537XXXXX

"Mozilla Suite"

j-search

wordpress

5.3.2
g