Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Software Bug Java Microsoft Windows IT News

Windows' Built-In PDF Reader Exposes Edge Browser To Hacking (softpedia.com) 97

An anonymous reader writes: Edge, Microsoft's new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of WinRT vulnerabilities it could leverage to distribute his malware.
This discussion has been archived. No new comments can be posted.

Windows' Built-In PDF Reader Exposes Edge Browser To Hacking

Comments Filter:
  • FUD News? (Score:4, Insightful)

    by RockoW ( 883785 ) on Wednesday March 02, 2016 @06:04PM (#51625385) Homepage
    So they are talking about a possibility of exploit and not an actual exploit....
    • Otherwise known as a vulnerability.
      • Re:FUD News? (Score:5, Insightful)

        by amicusNYCL ( 1538833 ) on Wednesday March 02, 2016 @06:19PM (#51625493)

        Why is the story specifically about Edge? Doesn't Chrome also have a built-in PDF reader? Is there something that makes Edge vulnerable in this case but Chrome isn't?

        • by Anonymous Coward

          This is Slashdot, Google can do no wrong and Apple has the best UI design.

        • Firefox also has an internal PDF viewer. Is there any difference? Is there something specific reason that makes the embedded PDF viewer safe in Chrome or Firefox, but not in Edge?

          • Re:And Firefox? (Score:5, Informative)

            by NotInHere ( 3654617 ) on Wednesday March 02, 2016 @09:16PM (#51626359)

            In fact there is a difference that makes the PDF reader in Firefox more secure than the ones in Chrome or Edge: In chrome and edge, the PDF reader is a binary module, that's sandboxed some way from the other parts of the operating system, with that sandbox being the only protection mechanism.

            In Firefox, the PDF reader is written 100% in javascript. Originally in fact it has been written by some guy who greatly improved the javascript JIT engine for firefox, and wanted to demonstrate how fast the javascript VM now has became, and that it can run "real" applications like PDF readers.

            In fact, since the earliest days, the website for the firefox PDF reader featured his paper as example document: https://mozilla.github.io/pdf.... [github.io]

            To get back to the topic: due to the fact that the firefox PDF reader only uses APIs and functionality that is already available in the web, viewing a PDF file isn't less secure than normally browsing the internet (without any addons that e.g. block javascript or something). So in theory the firefox PDF reader should be the most secure one, as there is no difference, and thus no additional attack surface.

            However, there is a tiny part where the firefox PDF reader is different from normal js code, and it has been abused already once: https://blog.mozilla.org/secur... [mozilla.org]
            It was no remote code execution bug, but it allowed websites to read files on your disk, that's pretty bad.

            So yes, in principle the PDF reader for firefox is the most secure one.

      • by Tx ( 96709 )

        No. A vulnerability is a specific flaw that could be exploited. There's no specific flaw here, the article is merely saying that if flaws are found in WinRT PDF, the could be exploited through Edge. And by the way, it also goes on to explain why that would be particularly hard. Really no story here.

    • So they are talking about a possibility of exploit and not an actual exploit....

      Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...

      • by AC-x ( 735297 )

        Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...

        You know, there's a possibility that the browser you used to post that comment itself has a remote code execution exploit, and there's a possibility that your OS has a privilege escalation exploit. That means there's a possibility that by simply viewing a website your whole computer could be taken over by a hacker!

        Anyway from TFA WinRT uses exploit mitigation features so there shouldn't be any more risk than if the PDF reader was simply built into the browser (i.e. there's still plenty of risk as is true fo

    • Didn't Microsoft have similar problems with incorporating third party tools into IE4? And that was like what, 1997?
  • by rsborg ( 111459 ) on Wednesday March 02, 2016 @06:06PM (#51625399) Homepage

    The PDF format v1.7 supports all sorts of crazy stuff (including javascript). Apple was sane, and IIRC, doesn't support PDF 1.7, probably only 1.5 (and not all of it - some features like pdf_packages and nested PDFs didn't work right in previous versions of OSX).

    I thought that MS Word proved you shouldn't have script code in your (mainly recognized as printed text) file formats. Of course, leave it to Microsoft to re-learn their own history.

    Unless you think they simply don't care about this shit.

    • by Anonymous Coward

      Unless you think they simply don't care about this shit.

      They don't because their customers don't. The ones that really cared about security left DOS/Windows nightmare a long time ago.

      • by Anonymous Coward

        This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.

        • Re: (Score:1, Interesting)

          This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.

          Which bug was that?

    • Comment removed based on user account deletion
    • by lgw ( 121541 )

      Did PDF recently become Turing complete? I thought it always was, but maybe I'm mis-remembering. Postscript is a full programming language, but fortunately it's quite rare to see it these days. Thank goodness Display PostScript did not become the way web pages get rendered.

  • by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Wednesday March 02, 2016 @06:20PM (#51625495) Homepage
    Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?
    • It downloads unknown executable code from the Internet, and then executes it. Fortunately the Internet is a very safe place on which no-one would ever dream of posting malicious code.
      • by batkiwi ( 137781 )

        Wait until you find out about browsers downloading html and javascript....

    • Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

      In a word, "yes".

      • Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

        In a word, "yes".

        No.

    • Is there an actual bug in EDGE's PDF viewer

      No. That is, there might be, but the blog post is not about the discovery of a vulnerability.

      or are we just saying software can have bugs and that people will try to exploit those bugs?

      Yes, pretty much. The slashdot submission actually tries to spin the message of blog post around: Reading the post, the researcher seems to be of the opinion that even with a vulnerability in the PDF library of WinRT - especially with Control Flow Guard protection in Windows 10 - is actually very, very hard to exploit. Not exactly what you read from the submission.

      And it makes sense too: A PDF library developed unde

  • by nuckfuts ( 690967 ) on Wednesday March 02, 2016 @06:29PM (#51625571)

    "... is find and create a database of WinRT vulnerabilities...".

    You mean the way any piece of software in existence could be exploited by "finding a vulnerability"?

    Even the referenced article states that...

    ...because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, [this] "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."

    So not only is this utter FUD, it's self-contradictory FUD.

    • Comment removed based on user account deletion
      • You're missing the point. The summary implies Edge using the WinRT PDF library makes attacks easier, but the article goes on to say that Windows 10 uses EMET techniques that make attacks harder. That's the contradictory part.

        The summary also states that an attacker needs to "find and create a database of WinRT vulnerabilities". Not that any exploit exists, just that one might be found, which one could say about any software. That's the FUD part.

  • by Anonymous Coward
    So a story about the possibility of an exploit if a vulnerability can be found for a dead platform (WinRT is the old arm original surface devices that sold like arse). Why the fuck are they even researching this? even if WinRT was wide open with publically known vulnerabilities it would pretty much be a non issue as almost no one uses it so trying to exploit it is pointless. It is like pointing out a security hole in OS/2, or DR DOS.
  • by penguinoid ( 724646 ) on Wednesday March 02, 2016 @07:06PM (#51625771) Homepage Journal

    For more information on the hack, click here [suspicious-site.com] [pdf]

  • ...for using Windows 10.
  • All the article says is because Edge uses a library to open PDFs, someone could potentially find a vulnerability and then exploit it if they are not stopped by extensive sandboxing features by the browser. That's a lot of handwaving and not one concrete exploit.

    • And Microsoft will probably patch it with the this month's security updates, which should be out next Tuesday (March 8, 2016).

      • Patch what? There is nothing that needs to be patched. There is no bug or security hole, and everything that the article is a system working as designed. It just says that if there was a security flaw then it could be hacked, but that is no different to any software.

  • by qubezz ( 520511 ) on Wednesday March 02, 2016 @08:47PM (#51626225)

    Slashdot editors can't help themselves. Post original article? No, lets post a monetized site with two generations of dumbing-down.

    At this week's RSA USA 2016 conference, I will be presenting my research on the attack surface and exploit mitigations in EdgeHTML, the rendering engine used by the Edge browser on Windows 10. One of the interesting features of EdgeHTML that I will discuss is its ability to use the built-in WinRT PDF Renderer library in Windows for rendering PDFs.

    The feature is useful in that users do not need to install and maintain additional software for reading PDFs. However, the feature also opens up another attack surface that can be used to attack the Edge browser. This blog post takes a look at this library and its security implications.

    https://securityintelligence.c... [securityintelligence.com]

  • No vulnerabilities cited, let alone exploits? As others have pointed out, this is a non-story about something that could happen, but hasn't yet. This is pure clickbait, and serves little use apart from generating advertising revenue and revealing commenters that know nothing about information security.
    • I think the article mentions that details will be provided at RSA this week
      • Did you read the original article? There's nothing in it that suggests they have discovered any vulnerabilities, let alone developed any working exploits. The article seems to indicate nothing more than a discussion about attack surface (which is a legitimate topic, but the difference seems to be lost to most of /.) and the cost of exploitation. Of course, they may be underselling their talk by failing to state that they did find and exploit vulnerabilities, but generally that's not how this works.
  • Windows 10, Microsoft's new operating system, uses the Winsock Sockets library to automatically manage socket connections while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to data and trigger drive-by attacks, which exploit Winsock vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of Winsock vulnerabilities it could leverage to distribute his malwar
  • Edge, Microsoft's new browser, uses some HTML library to automatically embed and present HTML files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to HTML files and trigger drive-by attacks, which exploit the HTML library vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of HTML library vulnerabilities it could leverage to distribute his malware.

"Pay no attention to the man behind the curtain." -- The Wizard Of Oz

Working...