Windows' Built-In PDF Reader Exposes Edge Browser To Hacking

An anonymous reader writes: Edge, Microsoft's new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of WinRT vulnerabilities it could leverage to distribute his malware.

I could become POTUS

If I get an US birth certificate and convince the delegates to vote for me!

Its so simple!

All that an attacker needs to do is to find and create a database of WinRT vulnerabilities it could leverage to distribute his malware.

Re:I could become POTUS

[KiloByte]

As BHO shown, the birth certificate can be even a cheap printout, so you can scratch that requirement as well.

(Needing birth place instead of just citizenship is bizarre, and so is the whole birther kerfuffle -- but the "proof" presented is hardly a proof at all.)

FUD News?

[RockoW]

So they are talking about a possibility of exploit and not an actual exploit....

Re:FUD News?

[__aaclcg7560]

Otherwise known as a vulnerability.

Re:FUD News?

You awoke one day to recognize the fact that many, many Slashdot stories concern security vulnerabilities, including those not yet known to be in the wild, and you decided to speak up against it. Well played, sir.

Re:FUD News?

[amicusNYCL]

Why is the story specifically about Edge? Doesn't Chrome also have a built-in PDF reader? Is there something that makes Edge vulnerable in this case but Chrome isn't?

Re:FUD News?

No apparently they have to find a vulnerability first. The article seems to essentially be saying that if someone can find a vulnerability they can exploit it. And they say tech journalism is dead.

Re:FUD News?

[Tx]

No. A vulnerability is a specific flaw that could be exploited. There's no specific flaw here, the article is merely saying that if flaws are found in WinRT PDF, the could be exploited through Edge. And by the way, it also goes on to explain why that would be particularly hard. Really no story here.

Re:FUD News?

This is Slashdot, Google can do no wrong and Apple has the best UI design.

Re:FUD News?

The difference is that Chrome doesn't use Microsoft's shitty, buggy code.

Re:FUD News?

The difference is that Chrome doesn't use Microsoft's shitty, buggy code.

Yeah, Chrome, the browser with the most reported vulnerabilities (twice as many as IE in 2015) is an example of non-shitty, non-buggy code? And, to the people that think Google patches quicker than MS, they are actually much worse, with 24% of vulns unpatched and IE only 13%.

Re:FUD News?

[JustAnotherOldGuy]

So they are talking about a possibility of exploit and not an actual exploit....

Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...

Re:FUD News?

The story isn't about Chrome because Chrome doesn't use Windows' built-in PDF reader and because a random IBM researcher didn't find bugs inside Chrome's PDF reader

Re:FUD News?

It's easy to have fewer vulnerabilities when your software doesn't do one tenth as much.

Also, IE has had more severe vulnerabilities than all other browsers combined.

Re:FUD News?

[AC-x]

Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...

You know, there's a possibility that the browser you used to post that comment itself has a remote code execution exploit, and there's a possibility that your OS has a privilege escalation exploit. That means there's a possibility that by simply viewing a website your whole computer could be taken over by a hacker!

Anyway from TFA WinRT uses exploit mitigation features so there shouldn't be any more risk than if the PDF reader was simply built into the browser (i.e. there's still plenty of risk as is true for all large applications)

"He says that because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."

Re:FUD News?

It's easy to have fewer vulnerabilities when your software doesn't do one tenth as much.

Also, IE has had more severe vulnerabilities than all other browsers combined.

Source??? This is completely wrong.

Firefox has the most by far, Chrome has the least. IE is somewhere in between, last year IE took a bit of a hit from severe vulnerabilities, but for the most part has been pretty good security wise for a few years now.

Also it shouldn't it be easy to write secure software when your codebase is in it's infancy and you don't have to worry about 2 decades of legacy code compatibility. Chrome developers do a good job, but honestly they should do even better given the lines of code and modernity if the project. Given IE's ageing code base they are now doing a surprisingly good job. They should just start fresh with a new browser so that they can compete on equal footing rather than be chained to ie6 compatibility for apps that the fortune 500s won't upgrade...O wait that's exactly what Microsoft did.

Ah, PDF - should have stopped at 1.5

[rsborg]

The PDF format v1.7 supports all sorts of crazy stuff (including javascript). Apple was sane, and IIRC, doesn't support PDF 1.7, probably only 1.5 (and not all of it - some features like pdf_packages and nested PDFs didn't work right in previous versions of OSX).

I thought that MS Word proved you shouldn't have script code in your (mainly recognized as printed text) file formats. Of course, leave it to Microsoft to re-learn their own history.

Unless you think they simply don't care about this shit.

Re:Ah, PDF - should have stopped at 1.5

Unless you think they simply don't care about this shit.

They don't because their customers don't. The ones that really cared about security left DOS/Windows nightmare a long time ago.

Re: Ah, PDF - should have stopped at 1.5

Exactly. It's a self fulfilling prophecy because people that don't care about security don't run their stuff in the first place.

Re:Ah, PDF - should have stopped at 1.5

[DigiShaman]

Unless you think they simply don't care about this shit

Haven't you heard? Microsoft is all about FEATURES. Bugs, exploits you say? That shit is for little people. But if something happens, I'm sure you can get Cortana to summon a useless idiot from India to help you out; for a fee of course.

Re: Ah, PDF - should have stopped at 1.5

This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.

Re: Ah, PDF - should have stopped at 1.5

[Destined+Soul]

This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.

Which bug was that?

Re: Ah, PDF - should have stopped at 1.5

They dont care about security. Msfts commercial shows They are in the badguy tracking business now. They want to track you soo hard they've refined thier version 10 honeypot petree drone rat , you bing and the malware that your os accumulates and spreads interception of data you and your neigbors leak . easier to track diseases when there guaranteed methods of infection . you sign all your rights away so no legal way to stop this identity theft nightmare. And if you dont subscribe you eventually wont be allowed to use your own identity ,use the internet. Make purchases . get a job.. etcetc.

600 60 6.

Re:Ah, PDF - should have stopped at 1.5

[lgw]

Did PDF recently become Turing complete? I thought it always was, but maybe I'm mis-remembering. Postscript is a full programming language, but fortunately it's quite rare to see it these days. Thank goodness Display PostScript did not become the way web pages get rendered.

Re: Ah, PDF - should have stopped at 1.5

CVE-2004-0200 which allowed anyone to execute code from inside a JPEG image. We had a couple of customers that had rootkits that would modify JPEG images which they uploaded to our site. The exploit even worked with a SOCKS proxy so it took us a long time to figure-out how to block its outgoing traffic.

Re:Ah, PDF - should have stopped at 1.5

PDF != PS

The language of PDFs was originally a preprocessed subset of PS, but one of the first things they did was add font embedding and object storage so you can use fonts without having them on your machine or embed raster graphics. Since then, various technologies have been added to PDFs well beyond PS, to the point where the capabilities and features of each are different with different pros and cons.

Re:Ah, PDF - should have stopped at 1.5

[lgw]

PDF != PS

Of course - that's why I'm asking "is PDF Turing-complete like PS is? Was it always?" Do you happen to know?

Re:Ah, PDF - should have stopped at 1.5

[anss123]

Having written both a PDF and PS interpreter, I can tell you that PDF command streams (the stuff that tells the viewer how to draw the page) has no loops or variables. You can't do calculations, the closest being PostScript functions, but you can't directly use the output of such a function (it's used to calculate colors).

Now, to be fully PDF compliant, you must support a limited subset of PostScript commands. There at least you can do math, but loops need not be implemented, just a few math related operators.

In theory, Type1 fonts is just PostScript code, but PDF viewers never actually execute that code.

TrueType fonts have executable code that is executed, but I don't know if it's Turing-complete.

Of course, PDF v.1.7 allows for JavaScript.

Re:Ah, PDF - should have stopped at 1.5

[Eunuchswear]

Of course, PDF v.1.7 allows for JavaScript.

Which is not such a big deal as we're talking about viewing PDF's in a web browser.

Re:Ah, PDF - should have stopped at 1.5

[lgw]

JavaScript == vulnerability.

Sure, if turning off JS in my browser means turning it off in the PDF viewer, that's a helpful mitigation, but why must a document format include a virus scripting language?

Settings?

By the very few settings available in Edge... I can tell you right now there's no way to deactivate that feature. This is probably milestone #29013 for Microsoft

Add-ons first

Let's add support for Chrome extensions first, then Microsoft can fix Edge's security flaws. Let's get our priorities in order please.

Re:Add-ons first

Yes, we definitely need another vector for malware!

Free Windows Utility

There is a very useful tool for optimizing a new Windows 10 installation. I ran ccleaner (crap cleaner) on my Windows 10 machine, and it deleted all the system files. This may be the most useful utility ever written.

You can find the details in this article.

What's the vulnerability here?

[PhrostyMcByte]

Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

Re:What's the vulnerability here?

Exactly.

Edge, Microsoft's new browser, uses a library to automatically embed and present HTML files while navigating the web. All that an attacker needs to do is to find and create a database of Edge vulnerabilities it could leverage to distribute his malware.

Re:What's the vulnerability here?

[Simon+Brooke]

It downloads unknown executable code from the Internet, and then executes it. Fortunately the Internet is a very safe place on which no-one would ever dream of posting malicious code.

Re:What's the vulnerability here?

[batkiwi]

Wait until you find out about browsers downloading html and javascript....

Re:What's the vulnerability here?

Wait until you find out about things like NoScript that allow you to control which web sites get to run javascript.

Re:What's the vulnerability here?

[JustAnotherOldGuy]

Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

In a word, "yes".

Re:What's the vulnerability here?

Wait until you find out that NoScript doesn't work on Edge.

Re:What's the vulnerability here?

[AC-x]

Wait until you find out that exploits can be triggered by fonts, images, and even HTML tags.

Re:What's the vulnerability here?

[benjymouse]

Is there an actual bug in EDGE's PDF viewer

No. That is, there might be, but the blog post is not about the discovery of a vulnerability.

or are we just saying software can have bugs and that people will try to exploit those bugs?

Yes, pretty much. The slashdot submission actually tries to spin the message of blog post around: Reading the post, the researcher seems to be of the opinion that even with a vulnerability in the PDF library of WinRT - especially with Control Flow Guard protection in Windows 10 - is actually very, very hard to exploit. Not exactly what you read from the submission.

And it makes sense too: A PDF library developed under Secure Development Lifecycle (SDL) is likely to have *fewer* vulnerabilities than age-old adobe code. Firefox approach (PDF renderer exclusively in JavaScript) is somewhat better, but does not allow for the functionality to be used in standalone applications.

Re:What's the vulnerability here?

[benjymouse]

Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

In a word, "yes".

No.

hahaha

stupid windows 10

I don't think Microsoft cares

The existence of Windows 10 exploits makes it possible for Microsoft to sell your private information and to deny having done it ("oh you have proof that someone got their hands on your personal documents? It must have been hackers").

"All an attacker needs to do..."

[nuckfuts]

"... is find and create a database of WinRT vulnerabilities...".

You mean the way any piece of software in existence could be exploited by "finding a vulnerability"?

Even the referenced article states that...

...because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, [this] "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."

So not only is this utter FUD, it's self-contradictory FUD.

Re:"All an attacker needs to do..."

I think you're exaggerating in your trolling behavior. Aren't all "security" articles written on this principle? The summary or article never claims to present a security flaw, it just says that WinRT can be exploited in Edge, something that nobody knew until now. Now you know, hence "news"

Re:"All an attacker needs to do..."

The things you pointed out are not contradictory since they don't say two opposite things. Second of all, everybody around here seems to think that the article was about a vulnerability, even if the summary, article, and IBM's research never said so. It's a new "attack surface," which I, a security researcher, will probably use for Microsoft's bug bounty program. That's news in my book, since Firefox's and Chrome's PDF readers are not prone to drive-by attacks, and won't probably ever will because of their architecture. I just like it how /. comment on things they don't understand.... and then call it FUD.

Re:"All an attacker needs to do..."

[houghi]

Timeconsuming and costly is the same as security through obscurity. So that means that your nor I will be attacked. It means that people who have money and time will attack those who they seem to be interesting targets.

So it could be between big companies or more likely between countries. To me that is not FUD, but IT stuff that matters. I will not panic over it, but find it technical interesting.

Re:"All an attacker needs to do..."

[nuckfuts]

You're missing the point. The summary implies Edge using the WinRT PDF library makes attacks easier, but the article goes on to say that Windows 10 uses EMET techniques that make attacks harder. That's the contradictory part.

The summary also states that an attacker needs to "find and create a database of WinRT vulnerabilities". Not that any exploit exists, just that one might be found, which one could say about any software. That's the FUD part.

WTF?

So a story about the possibility of an exploit if a vulnerability can be found for a dead platform (WinRT is the old arm original surface devices that sold like arse). Why the fuck are they even researching this? even if WinRT was wide open with publically known vulnerabilities it would pretty much be a non issue as almost no one uses it so trying to exploit it is pointless. It is like pointing out a security hole in OS/2, or DR DOS.

Re: WTF?

No, that was Windows RT not WinRT ... I can see why it's confusing ;)

Re: WTF?

Are you retarded? WinRT is the short name for Windows RT.

Re: WTF?

No. WinRT is the replacement for Win32. Windows RT is the ARM tablet Windows 8ish OS that no one wanted.

Delete this

So we have an article about, not how theres an exploit, but how there could be an exploit. Very interesting. If only there was a site where I could get more articles with similar amounts of high quality content.

Re:Delete this

Delete yourself. The article is about an attack surface, not a vulnerability.

John McAfee once said that security researchers that only look at vulnerabilities instead of attack surfaces are like porn addicts looking only at cumshots.

You don't say

Adobe products are a MASSIVE FUCKING SECURITY RISK? Well I never...

Re:You don't say

This isn't even about Adobe, you mentally impaired reproductive organ. Better luck next time.

And Firefox?

[rduke15]

Firefox also has an internal PDF viewer. Is there any difference? Is there something specific reason that makes the embedded PDF viewer safe in Chrome or Firefox, but not in Edge?

Re:And Firefox?

Firefox also has an internal PDF viewer

Firefox's PDF viewer is implemented in JavaScript so doesn't introduce anything additional to the browser platform.

Re:And Firefox?

[NotInHere]

In fact there is a difference that makes the PDF reader in Firefox more secure than the ones in Chrome or Edge: In chrome and edge, the PDF reader is a binary module, that's sandboxed some way from the other parts of the operating system, with that sandbox being the only protection mechanism.

In Firefox, the PDF reader is written 100% in javascript. Originally in fact it has been written by some guy who greatly improved the javascript JIT engine for firefox, and wanted to demonstrate how fast the javascript VM now has became, and that it can run "real" applications like PDF readers.

In fact, since the earliest days, the website for the firefox PDF reader featured his paper as example document: https://mozilla.github.io/pdf....

To get back to the topic: due to the fact that the firefox PDF reader only uses APIs and functionality that is already available in the web, viewing a PDF file isn't less secure than normally browsing the internet (without any addons that e.g. block javascript or something). So in theory the firefox PDF reader should be the most secure one, as there is no difference, and thus no additional attack surface.

However, there is a tiny part where the firefox PDF reader is different from normal js code, and it has been abused already once: https://blog.mozilla.org/secur...
It was no remote code execution bug, but it allowed websites to read files on your disk, that's pretty bad.

So yes, in principle the PDF reader for firefox is the most secure one.

Re:And Firefox?

[LordWabbit2]

My Firefox pdf reader is the most secure, since every time I even try open a pdf in Firefox it freezes, so I don't bother opening pdf's in Firefox.

Re:And Firefox?

I've found the PDF support to work well in Firefox. What's an example of a PDF that freezes Firefox?

Re:And Firefox?

Huge PDF files with large images (50 MB and up) are unbearable. But it works just fine for small files where you don't have custom fonts.

Re:And Firefox?

Firefox's PDF reader is so slow that anyone who has ever opened a PDF with it has already replaced it with a different reader. Of course, the Adobe has ten times as more vulnerabilities, but at least it can open a PDF in seconds, not in minutes as that Mozilla's piece of javascrip crap.

Re:And Firefox?

and that it can run "real" applications like PDF readers.

It was one feature that could single handedly drain the battery on my Eee PC when it first came out, while providing a pleasant warmth during the winter. Possible does not mean its a good idea, especially when it is integrated without an off switch.

Re:And Firefox?

It also means printing is problematic.
- it prints at screen dpi, instead of 600+ dpi (uses screen fonts)
- it can't mix landscape and portrait pages
- we've got the whole a4/letter paper size problem *again*. It took a *decade* to fix last time.

I don't print often, but when I do it's pdf, and this is now broken.

(yes, there are bug reports for all of these.)

Re:And Firefox?

Or you could just click the download button and open with your favourite pdf reader if the pdf is too bloated.

Re:And Firefox?

So what's an example? It's the web. Link to one.

Re:And Firefox?

[NotInHere]

There is a list on github: https://github.com/mozilla/pdf...

Re:And Firefox?

Most of those cases relate to browsers which are not Firefox. What's a specific example of a PDF that causes Firefox to freeze as LordWabbit2 says? His comment implies that it's caused by any PDF.

Re:And Firefox?

especially when it is integrated without an off switch

You can change the behaviour in the Applications section of Firefox's config. Just change the setting for PDFs from "Preview in Firefox" to whatever you want it to be. It can also be disabled in the about:config settings.

For more information

[penguinoid]

For more information on the hack, click here [pdf]

That's what they get...

[Nunya666]

...for using Windows 10.

Re:That's what they get...

They get a fully sandboxed PDF reader instead opening PDFs in Adobe's awful products will full system access? That sounds like a pretty good thing to get. This isn't even new though. Chrome has done this for a while for the same reason.

Just admit it: Win10 == piece of shit

Win 95: more or less OK.
Win 98/98SE: Pretty good..
Win NT 4: Pretty good..
Win 2000: Not bad at all after service packs..
Win XP: Good job!
Vista: OMFG what did you DO!?
Win 7: Whew! Finally, something that's decent!
Win 8: OMFG, are you insane!?
Win 10: *bertstare* What the actual FUCK are you smoking!? Bad biker meth? Are you NUTS!?

Face it: Win10 is a total piece of SHIT, Microsoft doesn't give a fuck about you or your rights as a user, openly spies on you, shoves 'updates' down your throat, and the goddamned thing has more holes in it's security than a swiss cheese. If you willingly use it you either must be technically incompetent, or you LIKE being fucked in the ass by an AIDS infested derelict. You may as well go find the Russian mob and ask them to install all their malware on your computer and get it over with.

Re:Just admit it: Win10 == piece of shit

[AlphaBro]

Yeah, Windows 10 has had a plethora of highly publicized, named exploits a la heartbleed, shellshock, stagefright, drown, etc. Hey, wait a second...

Crying wolf

[iamacat]

All the article says is because Edge uses a library to open PDFs, someone could potentially find a vulnerability and then exploit it if they are not stopped by extensive sandboxing features by the browser. That's a lot of handwaving and not one concrete exploit.

Re:Crying wolf

[MtViewGuy]

And Microsoft will probably patch it with the this month's security updates, which should be out next Tuesday (March 8, 2016).

Re:Crying wolf

[Gadget_Guy]

Patch what? There is nothing that needs to be patched. There is no bug or security hole, and everything that the article is a system working as designed. It just says that if there was a security flaw then it could be hacked, but that is no different to any software.

Researcher's actual page

[qubezz]

Slashdot editors can't help themselves. Post original article? No, lets post a monetized site with two generations of dumbing-down.

At this week's RSA USA 2016 conference, I will be presenting my research on the attack surface and exploit mitigations in EdgeHTML, the rendering engine used by the Edge browser on Windows 10. One of the interesting features of EdgeHTML that I will discuss is its ability to use the built-in WinRT PDF Renderer library in Windows for rendering PDFs.

The feature is useful in that users do not need to install and maintain additional software for reading PDFs. However, the feature also opens up another attack surface that can be used to attack the Edge browser. This blog post takes a look at this library and its security implications.

https://securityintelligence.c...

Non-story

[AlphaBro]

No vulnerabilities cited, let alone exploits? As others have pointed out, this is a non-story about something that could happen, but hasn't yet. This is pure clickbait, and serves little use apart from generating advertising revenue and revealing commenters that know nothing about information security.

Re:Non-story

[softnewsit]

I think the article mentions that details will be provided at RSA this week

Re:Non-story

[AlphaBro]

Did you read the original article? There's nothing in it that suggests they have discovered any vulnerabilities, let alone developed any working exploits. The article seems to indicate nothing more than a discussion about attack surface (which is a legitimate topic, but the difference seems to be lost to most of /.) and the cost of exploitation. Of course, they may be underselling their talk by failing to state that they did find and exploit vulnerabilities, but generally that's not how this works.

Re:Non-story

and what's wrong with that. the article didn't mention anything about a discovered vulnerability... the title is actually very well chosen.... i think you had personal expectations about a vulnerability... nowhere does it say that articles can't raise the issue of potential attack vectors... judging that i didn't know about it, the article did its job

Re:Non-story

[AlphaBro]

No, it's not. The title is trite, click-bait garbage intended to garner Microsoft hate. "Windows' Built-In PDF Reader Exposes Edge Browser To Hacking" implies active exploitation (or at least the discovery of a vulnerability), when in fact no such "hacking" is known to have occurred. Further, expansion of attack surface is hardly newsworthy, especially when it parallels extant attack surface of competitors. Having been a /. reader for some time, I can't think of a single article comparable to this seemingly new low.

Re:Non-story

lol, how about the betanews article from last weekend when donald trump's voicemail was hacked and the betanews editor copied the gawker article but replaced "4chan pranksters" with "anonymous" because it would garner more clicks

that's click-bait, and that's true /. low, not this, you brainless monkey that can't understand the meaning of the word "expose"

so much hate on this site it's unbelievable.... there were people contesting reuters articles in here, everybody's an expert

Global Mother Fucking Spyware.

WinRT is Win(NOT)RT

https://www.youtube.com/watch?v=5aAbOgdbTbM

Windows built-in sockets library exposes OS...

[bool2]

Windows 10, Microsoft's new operating system, uses the Winsock Sockets library to automatically manage socket connections while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to data and trigger drive-by attacks, which exploit Winsock vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of Winsock vulnerabilities it could leverage to distribute his malware.

Browser uses library to display files, horrors.

[Eunuchswear]

Edge, Microsoft's new browser, uses some HTML library to automatically embed and present HTML files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to HTML files and trigger drive-by attacks, which exploit the HTML library vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of HTML library vulnerabilities it could leverage to distribute his malware.

WTF is wrong with you Slashdot commenters?

Why so many mean comments on all stories? What has happened to this place? Since when is it forbidden to report on attack surfaces? 95% of all security articles are just theoretical crap. I don't get what's the bug hubbub about this article and all your comments...

Not much has changed.

[mitcheli]

Didn't Microsoft have similar problems with incorporating third party tools into IE4? And that was like what, 1997?