Paragon has been accused by WhatsApp of exploiting an out-of-bounds flaw in the FreeType open-source library, months after Meta disclosed the issue to have been actively abused for arbitrary code execution.
According to SecurityWeek, the vulnerability was identified in FreeType 2.13.0 and earlier, and could be triggered by TrueTypeGX and variable font file-related font subglyph structure parsing, according to an advisory from Meta.
"The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer," Meta added. “The code then writes up to six signed long integers out of bounds relative to this buffer.”
The development comes as
Paragon's Graphite spyware was observed by Citizen Lab researchers to have compromised iPhones running up-to-date software. Apple has since addressed the vulnerability.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
