Heads up, Google Chrome users: Patch your browsers if you can, because there's a security flaw that is currently being used in active attacks.

The flaw is in the FreeType font library that underlies Chrome and all Chromium-based browsers, including Brave, the new Microsoft Edge, Opera, Vivaldi and dozens of others.

The Fontclass JavaScript API (a list of functions you may want to check when setting fonts) is used to play a key role in the attack. Chrome transitions between software rendering, which it calls virtual rendering, and hardware rendering when running under normal or low-end hardware. When the software render engine detects big chunks of text needing huge amounts of computation resources, it can "optimize" the rendering instead of forcing those rendering decisions on the application.

In other words, even if the developers of software rendering were to make all of the font files of the application available to it then run a JavaScript program that selectively allowed it to use these files, and the font mount of the GPU was available with all unused resources managed, it wouldn't be able to automatically render anything.

The researchers explain:

As a result of the unpredictability of how Google Chrome handles fonts, we developed a proof-of-concept exploit [via a tool posted on GitHub] that allows rendering tricks that Google Chromium does not utilize internally. No modifications to existing browser software are required, and exploit Code execution in some otherwise blocked content.

They say their experiment is only a proof-of mechanic restriction, but as a proof-of-concept anyone can see the potential for indiscriminate restricting of bans, and afraid downloaders can be forced to update their software. Maybe this is also a warning to turn-off Chrome until the issue is corrected or a way of getting around experimental extensions that could introduce vulnerabilities.

INHIBITED MIME-SPORE

Cody Mullins, product manager for Firefox at Microsoft, explained that while Microsoft removed IME input "until the security community can confirm otherwise," it looks like that effort is moving forward a little sooner. He shared with program producers and readers (hat tip to Federico Viticci for pointing this out) that they are in direct communication with the popular document Staples uses to organize its shopping requests to make sure this sensitive information filters properly between webpages and other web users.

Amazon already required users to complete a self-audit as part of the Vulnerability and Safety team, and gets on board with any grassroots effort to find your language kiddies and root out where security seekers may be lying. "In the U.S., privacy and security are left up to individual consumers to decide," says a Paragon blog post.

Prawderweb was one such used e-mail provider offering privacy tips, the admins at rotten-web-
g