Windows' Built-In PDF Reader Exposes Edge Browser To Hacking (softpedia.com) 97
An anonymous reader writes: Edge, Microsoft's new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of WinRT vulnerabilities it could leverage to distribute his malware.
Re: (Score:1)
As BHO shown, the birth certificate can be even a cheap printout, so you can scratch that requirement as well.
(Needing birth place instead of just citizenship is bizarre, and so is the whole birther kerfuffle -- but the "proof" presented is hardly a proof at all.)
FUD News? (Score:4, Insightful)
Re: (Score:1)
Re:FUD News? (Score:5, Insightful)
Why is the story specifically about Edge? Doesn't Chrome also have a built-in PDF reader? Is there something that makes Edge vulnerable in this case but Chrome isn't?
Re: (Score:1)
This is Slashdot, Google can do no wrong and Apple has the best UI design.
And Firefox? (Score:2)
Firefox also has an internal PDF viewer. Is there any difference? Is there something specific reason that makes the embedded PDF viewer safe in Chrome or Firefox, but not in Edge?
Re:And Firefox? (Score:5, Informative)
In fact there is a difference that makes the PDF reader in Firefox more secure than the ones in Chrome or Edge: In chrome and edge, the PDF reader is a binary module, that's sandboxed some way from the other parts of the operating system, with that sandbox being the only protection mechanism.
In Firefox, the PDF reader is written 100% in javascript. Originally in fact it has been written by some guy who greatly improved the javascript JIT engine for firefox, and wanted to demonstrate how fast the javascript VM now has became, and that it can run "real" applications like PDF readers.
In fact, since the earliest days, the website for the firefox PDF reader featured his paper as example document: https://mozilla.github.io/pdf.... [github.io]
To get back to the topic: due to the fact that the firefox PDF reader only uses APIs and functionality that is already available in the web, viewing a PDF file isn't less secure than normally browsing the internet (without any addons that e.g. block javascript or something). So in theory the firefox PDF reader should be the most secure one, as there is no difference, and thus no additional attack surface.
However, there is a tiny part where the firefox PDF reader is different from normal js code, and it has been abused already once: https://blog.mozilla.org/secur... [mozilla.org]
It was no remote code execution bug, but it allowed websites to read files on your disk, that's pretty bad.
So yes, in principle the PDF reader for firefox is the most secure one.
Re: (Score:3)
Re: (Score:1)
Huge PDF files with large images (50 MB and up) are unbearable. But it works just fine for small files where you don't have custom fonts.
Re: (Score:2)
There is a list on github: https://github.com/mozilla/pdf... [github.com]
Re: (Score:2)
No. A vulnerability is a specific flaw that could be exploited. There's no specific flaw here, the article is merely saying that if flaws are found in WinRT PDF, the could be exploited through Edge. And by the way, it also goes on to explain why that would be particularly hard. Really no story here.
Re: (Score:2)
So they are talking about a possibility of exploit and not an actual exploit....
Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...
Re: (Score:2)
Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...
You know, there's a possibility that the browser you used to post that comment itself has a remote code execution exploit, and there's a possibility that your OS has a privilege escalation exploit. That means there's a possibility that by simply viewing a website your whole computer could be taken over by a hacker!
Anyway from TFA WinRT uses exploit mitigation features so there shouldn't be any more risk than if the PDF reader was simply built into the browser (i.e. there's still plenty of risk as is true fo
Not much has changed. (Score:2)
Ah, PDF - should have stopped at 1.5 (Score:4, Insightful)
The PDF format v1.7 supports all sorts of crazy stuff (including javascript). Apple was sane, and IIRC, doesn't support PDF 1.7, probably only 1.5 (and not all of it - some features like pdf_packages and nested PDFs didn't work right in previous versions of OSX).
I thought that MS Word proved you shouldn't have script code in your (mainly recognized as printed text) file formats. Of course, leave it to Microsoft to re-learn their own history.
Unless you think they simply don't care about this shit.
Re: (Score:1)
Unless you think they simply don't care about this shit.
They don't because their customers don't. The ones that really cared about security left DOS/Windows nightmare a long time ago.
Re: Ah, PDF - should have stopped at 1.5 (Score:1)
This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.
Re: (Score:1, Interesting)
This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.
Which bug was that?
Re: (Score:3)
Re: (Score:2)
Did PDF recently become Turing complete? I thought it always was, but maybe I'm mis-remembering. Postscript is a full programming language, but fortunately it's quite rare to see it these days. Thank goodness Display PostScript did not become the way web pages get rendered.
Re: (Score:2)
PDF != PS
Of course - that's why I'm asking "is PDF Turing-complete like PS is? Was it always?" Do you happen to know?
Re:Ah, PDF - should have stopped at 1.5 (Score:4, Informative)
Having written both a PDF and PS interpreter, I can tell you that PDF command streams (the stuff that tells the viewer how to draw the page) has no loops or variables. You can't do calculations, the closest being PostScript functions, but you can't directly use the output of such a function (it's used to calculate colors).
Now, to be fully PDF compliant, you must support a limited subset of PostScript commands. There at least you can do math, but loops need not be implemented, just a few math related operators.
In theory, Type1 fonts is just PostScript code, but PDF viewers never actually execute that code.
TrueType fonts have executable code that is executed, but I don't know if it's Turing-complete.
Of course, PDF v.1.7 allows for JavaScript.
Re: (Score:1)
Of course, PDF v.1.7 allows for JavaScript.
Which is not such a big deal as we're talking about viewing PDF's in a web browser.
Re: (Score:2)
JavaScript == vulnerability.
Sure, if turning off JS in my browser means turning it off in the PDF viewer, that's a helpful mitigation, but why must a document format include a virus scripting language?
What's the vulnerability here? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
Wait until you find out about browsers downloading html and javascript....
Re: (Score:2)
Wait until you find out that exploits can be triggered by fonts, images, and even HTML tags.
Re: (Score:2)
Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?
In a word, "yes".
Re: (Score:2)
Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?
In a word, "yes".
No.
Re: (Score:2)
Is there an actual bug in EDGE's PDF viewer
No. That is, there might be, but the blog post is not about the discovery of a vulnerability.
or are we just saying software can have bugs and that people will try to exploit those bugs?
Yes, pretty much. The slashdot submission actually tries to spin the message of blog post around: Reading the post, the researcher seems to be of the opinion that even with a vulnerability in the PDF library of WinRT - especially with Control Flow Guard protection in Windows 10 - is actually very, very hard to exploit. Not exactly what you read from the submission.
And it makes sense too: A PDF library developed unde
"All an attacker needs to do..." (Score:5, Insightful)
"... is find and create a database of WinRT vulnerabilities...".
You mean the way any piece of software in existence could be exploited by "finding a vulnerability"?
Even the referenced article states that...
...because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, [this] "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."
So not only is this utter FUD, it's self-contradictory FUD.
Re: (Score:2)
Re: (Score:2)
You're missing the point. The summary implies Edge using the WinRT PDF library makes attacks easier, but the article goes on to say that Windows 10 uses EMET techniques that make attacks harder. That's the contradictory part.
The summary also states that an attacker needs to "find and create a database of WinRT vulnerabilities". Not that any exploit exists, just that one might be found, which one could say about any software. That's the FUD part.
WTF? (Score:1)
For more information (Score:4, Funny)
For more information on the hack, click here [suspicious-site.com] [pdf]
That's what they get... (Score:1)
Re: (Score:1)
Crying wolf (Score:2)
All the article says is because Edge uses a library to open PDFs, someone could potentially find a vulnerability and then exploit it if they are not stopped by extensive sandboxing features by the browser. That's a lot of handwaving and not one concrete exploit.
Re: (Score:2)
And Microsoft will probably patch it with the this month's security updates, which should be out next Tuesday (March 8, 2016).
Re: (Score:2)
Patch what? There is nothing that needs to be patched. There is no bug or security hole, and everything that the article is a system working as designed. It just says that if there was a security flaw then it could be hacked, but that is no different to any software.
Researcher's actual page (Score:4, Informative)
Slashdot editors can't help themselves. Post original article? No, lets post a monetized site with two generations of dumbing-down.
At this week's RSA USA 2016 conference, I will be presenting my research on the attack surface and exploit mitigations in EdgeHTML, the rendering engine used by the Edge browser on Windows 10. One of the interesting features of EdgeHTML that I will discuss is its ability to use the built-in WinRT PDF Renderer library in Windows for rendering PDFs.
The feature is useful in that users do not need to install and maintain additional software for reading PDFs. However, the feature also opens up another attack surface that can be used to attack the Edge browser. This blog post takes a look at this library and its security implications.
https://securityintelligence.c... [securityintelligence.com]
Non-story (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Windows built-in sockets library exposes OS... (Score:2)
Browser uses library to display files, horrors. (Score:1)
Edge, Microsoft's new browser, uses some HTML library to automatically embed and present HTML files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to HTML files and trigger drive-by attacks, which exploit the HTML library vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of HTML library vulnerabilities it could leverage to distribute his malware.