Windows' Built-In PDF Reader Exposes Edge Browser To Hacking

An anonymous reader writes: Edge, Microsoft's new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of WinRT vulnerabilities it could leverage to distribute his malware.

FUD News?

[RockoW]

So they are talking about a possibility of exploit and not an actual exploit....

Re:FUD News?

[amicusNYCL]

Why is the story specifically about Edge? Doesn't Chrome also have a built-in PDF reader? Is there something that makes Edge vulnerable in this case but Chrome isn't?

Re:FUD News?

[Tx]

No. A vulnerability is a specific flaw that could be exploited. There's no specific flaw here, the article is merely saying that if flaws are found in WinRT PDF, the could be exploited through Edge. And by the way, it also goes on to explain why that would be particularly hard. Really no story here.

Re:FUD News?

This is Slashdot, Google can do no wrong and Apple has the best UI design.

Re:FUD News?

[JustAnotherOldGuy]

So they are talking about a possibility of exploit and not an actual exploit....

Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...

Re:FUD News?

[AC-x]

Oh well as long as it's only a possibility then there's nothing to worry about and we should all just move along, nothing to see here...

You know, there's a possibility that the browser you used to post that comment itself has a remote code execution exploit, and there's a possibility that your OS has a privilege escalation exploit. That means there's a possibility that by simply viewing a website your whole computer could be taken over by a hacker!

Anyway from TFA WinRT uses exploit mitigation features so there shouldn't be any more risk than if the PDF reader was simply built into the browser (i.e. there's still plenty of risk as is true for all large applications)

"He says that because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."

Ah, PDF - should have stopped at 1.5

[rsborg]

The PDF format v1.7 supports all sorts of crazy stuff (including javascript). Apple was sane, and IIRC, doesn't support PDF 1.7, probably only 1.5 (and not all of it - some features like pdf_packages and nested PDFs didn't work right in previous versions of OSX).

I thought that MS Word proved you shouldn't have script code in your (mainly recognized as printed text) file formats. Of course, leave it to Microsoft to re-learn their own history.

Unless you think they simply don't care about this shit.

Re:Ah, PDF - should have stopped at 1.5

Unless you think they simply don't care about this shit.

They don't because their customers don't. The ones that really cared about security left DOS/Windows nightmare a long time ago.

Re:Ah, PDF - should have stopped at 1.5

[DigiShaman]

Unless you think they simply don't care about this shit

Haven't you heard? Microsoft is all about FEATURES. Bugs, exploits you say? That shit is for little people. But if something happens, I'm sure you can get Cortana to summon a useless idiot from India to help you out; for a fee of course.

Re: Ah, PDF - should have stopped at 1.5

This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.

Re: Ah, PDF - should have stopped at 1.5

[Destined+Soul]

This. My company gave up on Windows after we almost went out of business because of a data leak due to a .NET bug. Anyone still using doesn't care about security.

Which bug was that?

Re:Ah, PDF - should have stopped at 1.5

[lgw]

Did PDF recently become Turing complete? I thought it always was, but maybe I'm mis-remembering. Postscript is a full programming language, but fortunately it's quite rare to see it these days. Thank goodness Display PostScript did not become the way web pages get rendered.

Re:Ah, PDF - should have stopped at 1.5

[lgw]

PDF != PS

Of course - that's why I'm asking "is PDF Turing-complete like PS is? Was it always?" Do you happen to know?

Re:Ah, PDF - should have stopped at 1.5

[anss123]

Having written both a PDF and PS interpreter, I can tell you that PDF command streams (the stuff that tells the viewer how to draw the page) has no loops or variables. You can't do calculations, the closest being PostScript functions, but you can't directly use the output of such a function (it's used to calculate colors).

Now, to be fully PDF compliant, you must support a limited subset of PostScript commands. There at least you can do math, but loops need not be implemented, just a few math related operators.

In theory, Type1 fonts is just PostScript code, but PDF viewers never actually execute that code.

TrueType fonts have executable code that is executed, but I don't know if it's Turing-complete.

Of course, PDF v.1.7 allows for JavaScript.

Re:Ah, PDF - should have stopped at 1.5

[Eunuchswear]

Of course, PDF v.1.7 allows for JavaScript.

Which is not such a big deal as we're talking about viewing PDF's in a web browser.

Re:Ah, PDF - should have stopped at 1.5

[lgw]

JavaScript == vulnerability.

Sure, if turning off JS in my browser means turning it off in the PDF viewer, that's a helpful mitigation, but why must a document format include a virus scripting language?

What's the vulnerability here?

[PhrostyMcByte]

Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

Re:What's the vulnerability here?

[Simon+Brooke]

It downloads unknown executable code from the Internet, and then executes it. Fortunately the Internet is a very safe place on which no-one would ever dream of posting malicious code.

Re:What's the vulnerability here?

[batkiwi]

Wait until you find out about browsers downloading html and javascript....

Re:What's the vulnerability here?

[JustAnotherOldGuy]

Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

In a word, "yes".

Re:What's the vulnerability here?

[AC-x]

Wait until you find out that exploits can be triggered by fonts, images, and even HTML tags.

Re:What's the vulnerability here?

[benjymouse]

Is there an actual bug in EDGE's PDF viewer

No. That is, there might be, but the blog post is not about the discovery of a vulnerability.

or are we just saying software can have bugs and that people will try to exploit those bugs?

Yes, pretty much. The slashdot submission actually tries to spin the message of blog post around: Reading the post, the researcher seems to be of the opinion that even with a vulnerability in the PDF library of WinRT - especially with Control Flow Guard protection in Windows 10 - is actually very, very hard to exploit. Not exactly what you read from the submission.

And it makes sense too: A PDF library developed under Secure Development Lifecycle (SDL) is likely to have *fewer* vulnerabilities than age-old adobe code. Firefox approach (PDF renderer exclusively in JavaScript) is somewhat better, but does not allow for the functionality to be used in standalone applications.

Re:What's the vulnerability here?

[benjymouse]

Is there an actual bug in EDGE's PDF viewer, or are we just saying software can have bugs and that people will try to exploit those bugs?

In a word, "yes".

No.

"All an attacker needs to do..."

[nuckfuts]

"... is find and create a database of WinRT vulnerabilities...".

You mean the way any piece of software in existence could be exploited by "finding a vulnerability"?

Even the referenced article states that...

...because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, [this] "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."

So not only is this utter FUD, it's self-contradictory FUD.

Re:"All an attacker needs to do..."

[houghi]

Timeconsuming and costly is the same as security through obscurity. So that means that your nor I will be attacked. It means that people who have money and time will attack those who they seem to be interesting targets.

So it could be between big companies or more likely between countries. To me that is not FUD, but IT stuff that matters. I will not panic over it, but find it technical interesting.

Re:"All an attacker needs to do..."

[nuckfuts]

You're missing the point. The summary implies Edge using the WinRT PDF library makes attacks easier, but the article goes on to say that Windows 10 uses EMET techniques that make attacks harder. That's the contradictory part.

The summary also states that an attacker needs to "find and create a database of WinRT vulnerabilities". Not that any exploit exists, just that one might be found, which one could say about any software. That's the FUD part.

WTF?

So a story about the possibility of an exploit if a vulnerability can be found for a dead platform (WinRT is the old arm original surface devices that sold like arse). Why the fuck are they even researching this? even if WinRT was wide open with publically known vulnerabilities it would pretty much be a non issue as almost no one uses it so trying to exploit it is pointless. It is like pointing out a security hole in OS/2, or DR DOS.

And Firefox?

[rduke15]

Firefox also has an internal PDF viewer. Is there any difference? Is there something specific reason that makes the embedded PDF viewer safe in Chrome or Firefox, but not in Edge?

Re:And Firefox?

[NotInHere]

In fact there is a difference that makes the PDF reader in Firefox more secure than the ones in Chrome or Edge: In chrome and edge, the PDF reader is a binary module, that's sandboxed some way from the other parts of the operating system, with that sandbox being the only protection mechanism.

In Firefox, the PDF reader is written 100% in javascript. Originally in fact it has been written by some guy who greatly improved the javascript JIT engine for firefox, and wanted to demonstrate how fast the javascript VM now has became, and that it can run "real" applications like PDF readers.

In fact, since the earliest days, the website for the firefox PDF reader featured his paper as example document: https://mozilla.github.io/pdf....

To get back to the topic: due to the fact that the firefox PDF reader only uses APIs and functionality that is already available in the web, viewing a PDF file isn't less secure than normally browsing the internet (without any addons that e.g. block javascript or something). So in theory the firefox PDF reader should be the most secure one, as there is no difference, and thus no additional attack surface.

However, there is a tiny part where the firefox PDF reader is different from normal js code, and it has been abused already once: https://blog.mozilla.org/secur...
It was no remote code execution bug, but it allowed websites to read files on your disk, that's pretty bad.

So yes, in principle the PDF reader for firefox is the most secure one.

Re:And Firefox?

[LordWabbit2]

My Firefox pdf reader is the most secure, since every time I even try open a pdf in Firefox it freezes, so I don't bother opening pdf's in Firefox.

Re:And Firefox?

Huge PDF files with large images (50 MB and up) are unbearable. But it works just fine for small files where you don't have custom fonts.

Re:And Firefox?

[NotInHere]

There is a list on github: https://github.com/mozilla/pdf...

For more information

[penguinoid]

For more information on the hack, click here [pdf]

That's what they get...

[Nunya666]

...for using Windows 10.

Crying wolf

[iamacat]

All the article says is because Edge uses a library to open PDFs, someone could potentially find a vulnerability and then exploit it if they are not stopped by extensive sandboxing features by the browser. That's a lot of handwaving and not one concrete exploit.

Re:Crying wolf

[MtViewGuy]

And Microsoft will probably patch it with the this month's security updates, which should be out next Tuesday (March 8, 2016).

Re:Crying wolf

[Gadget_Guy]

Patch what? There is nothing that needs to be patched. There is no bug or security hole, and everything that the article is a system working as designed. It just says that if there was a security flaw then it could be hacked, but that is no different to any software.

Researcher's actual page

[qubezz]

Slashdot editors can't help themselves. Post original article? No, lets post a monetized site with two generations of dumbing-down.

At this week's RSA USA 2016 conference, I will be presenting my research on the attack surface and exploit mitigations in EdgeHTML, the rendering engine used by the Edge browser on Windows 10. One of the interesting features of EdgeHTML that I will discuss is its ability to use the built-in WinRT PDF Renderer library in Windows for rendering PDFs.

The feature is useful in that users do not need to install and maintain additional software for reading PDFs. However, the feature also opens up another attack surface that can be used to attack the Edge browser. This blog post takes a look at this library and its security implications.

https://securityintelligence.c...

Non-story

[AlphaBro]

No vulnerabilities cited, let alone exploits? As others have pointed out, this is a non-story about something that could happen, but hasn't yet. This is pure clickbait, and serves little use apart from generating advertising revenue and revealing commenters that know nothing about information security.

Re:Non-story

[softnewsit]

I think the article mentions that details will be provided at RSA this week

Re:Non-story

[AlphaBro]

Did you read the original article? There's nothing in it that suggests they have discovered any vulnerabilities, let alone developed any working exploits. The article seems to indicate nothing more than a discussion about attack surface (which is a legitimate topic, but the difference seems to be lost to most of /.) and the cost of exploitation. Of course, they may be underselling their talk by failing to state that they did find and exploit vulnerabilities, but generally that's not how this works.

Re:Non-story

[AlphaBro]

No, it's not. The title is trite, click-bait garbage intended to garner Microsoft hate. "Windows' Built-In PDF Reader Exposes Edge Browser To Hacking" implies active exploitation (or at least the discovery of a vulnerability), when in fact no such "hacking" is known to have occurred. Further, expansion of attack surface is hardly newsworthy, especially when it parallels extant attack surface of competitors. Having been a /. reader for some time, I can't think of a single article comparable to this seemingly new low.

Re:Just admit it: Win10 == piece of shit

[AlphaBro]

Yeah, Windows 10 has had a plethora of highly publicized, named exploits a la heartbleed, shellshock, stagefright, drown, etc. Hey, wait a second...

Windows built-in sockets library exposes OS...

[bool2]

Windows 10, Microsoft's new operating system, uses the Winsock Sockets library to automatically manage socket connections while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to data and trigger drive-by attacks, which exploit Winsock vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of Winsock vulnerabilities it could leverage to distribute his malware.

Browser uses library to display files, horrors.

[Eunuchswear]

Edge, Microsoft's new browser, uses some HTML library to automatically embed and present HTML files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to HTML files and trigger drive-by attacks, which exploit the HTML library vulnerabilities to target Windows 10 users. All that an attacker needs to do is to find and create a database of HTML library vulnerabilities it could leverage to distribute his malware.

Not much has changed.

[mitcheli]

Didn't Microsoft have similar problems with incorporating third party tools into IE4? And that was like what, 1997?