PDF exploit found in default Google Chrome reader
Thu 9 Jun 2016
A security researcher has unearthed a code execution flaw in web browser Google Chrome’s default PDF reader, PDFium, which could gift hackers with a simple opening into a victim’s system.
The vulnerability (CVE-2016-1681), discovered by Aleksander Nikolic of Cisco’s Talos unit, is present in any PDF with a JPEG 2000 image which can trigger an exploitable heap buffer overflow.
Nikolic explained in a blog yesterday that the Cisco research arm had identified the problem, and that ‘by simply viewing a PDF document that includes an embedded jpeg2000 image, an attacker can achieve arbitrary code execution on a victim’s system.’
He continued that the flaw originates from a Chrome developer error, noting: ‘An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted.’
When PDFium makes use of the OpenJPEG library, this omission can result in a buffer overflow. If this happens, malicious third parties can modify the code script.
‘The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising,’ Nikolic explained.
Once Nikolic flagged the error to Google on the 19th May, the search giant responded quickly and had fixed the vulnerability by the 25th May. This was corrected with a simple line of code, which changed an ‘assert’ to an ‘if’.
For protection against the exploit, Chrome users should update to the latest browser version – 51.0.2704.63. Chrome auto-updates, provided that this setting hasn’t been disabled, so the majority of Chrome users should be automatically protected once they restart their browser.
PDF files are widely accessed online, which make them an extremely easy target for attackers. Research has noted the vector’s prevalence over other malware distribution techniques, such as help files, HTML and other targeted media. Following a Symantec report senior analyst Paul Wood commented: ‘PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware.’