Windows' Built-In PDF Reader Exposes Edge Browser To Hacking (softpedia.com)

← Back to Stories (view on slashdot.org)

Windows' Built-In PDF Reader Exposes Edge Browser To Hacking (softpedia.com)

Posted by BeauHD on Wednesday March 2, 2016 @10:57AM from the hit-the-floor dept.

An anonymous reader writes: Edge, Microsoft's new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of WinRT vulnerabilities it could leverage to distribute his malware.

5 of 97 comments (clear)

Min score:

Reason:

Sort:

FUD News? by RockoW · 2016-03-02 11:04 · Score: 4, Insightful

So they are talking about a possibility of exploit and not an actual exploit....
1. Re:FUD News? by amicusNYCL · 2016-03-02 11:19 · Score: 4, Insightful
  
  Why is the story specifically about Edge? Doesn't Chrome also have a built-in PDF reader? Is there something that makes Edge vulnerable in this case but Chrome isn't?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Ah, PDF - should have stopped at 1.5 by rsborg · 2016-03-02 11:06 · Score: 3, Insightful

The PDF format v1.7 supports all sorts of crazy stuff (including javascript). Apple was sane, and IIRC, doesn't support PDF 1.7, probably only 1.5 (and not all of it - some features like pdf_packages and nested PDFs didn't work right in previous versions of OSX).
I thought that MS Word proved you shouldn't have script code in your (mainly recognized as printed text) file formats. Of course, leave it to Microsoft to re-learn their own history.
Unless you think they simply don't care about this shit.

--
Make sure everyone's vote counts: Verified Voting
What's the vulnerability here? by PhrostyMcByte · 2016-03-02 11:20 · Score: 4, Insightful

Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?
"All an attacker needs to do..." by nuckfuts · 2016-03-02 11:29 · Score: 4, Insightful

"... is find and create a database of WinRT vulnerabilities...".
You mean the way any piece of software in existence could be exploited by "finding a vulnerability"?
Even the referenced article states that...

...because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, [this] "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."
So not only is this utter FUD, it's self-contradictory FUD.