Slashdot Mirror

← Back to Stories (view on slashdot.org)

Annoying 'Open PDF In Edge' Default Option Puts Windows 10 Users At Risk (softpedia.com)

Posted by BeauHD on from the set-as-default dept.

An anonymous reader writes from a report via Softpedia: Microsoft fixed today a serious security flaw in the Windows PDF Library, a standard library used by Windows 10 to open and render PDF files, embedded by default in Edge. Exploiting this flaw allows attackers to execute code on the user's machine and take over the device, just by tricking a user into accessing a PDF hosted online via Edge. Since Edge is not only the default browser in Windows 10, but also the default PDF reader, this flaw puts countless of users that have not changed those settings at risk. Even worse, Microsoft has the annoying habit of resetting your personal app preferences once in a blue moon, always reverting Edge as the default browser and the default app to open PDF files.

70 of 118 comments (clear)

  1. Microsoft is relentless in being obnoxious lately by pf100 · · Score: 5, Insightful

    I don't want to use Edge and I want my settings to stick. Why are they obviously purposefully reverting my settings? I go out of my way to change a normal default setting and MS switches it back. Many times this has happened. There's no excuse for this horseshit.

  2. At risk of what?? by FrankHaynes · · Score: 4, Funny

    At risk of opening a PDF? Why not automatically open the PDF in protected mode? Surely Edge is advanced enough not to open a PDF with full access permissions to running macros and such?? I mean, Edge can even do WebRTC so at long last Microsoft is catching up to the rest of the world. Surely security considerations can't be far behind. Right? GUYS??

    --
    slashdot: A failed experiment.
    1. Re:At risk of what?? by omnichad · · Score: 3, Informative

      Joke or not, this is not due to functionality in PDF files macros, but a memory corruption issue leading to code execution. The exact same type of thing that happens with most Adobe Reader vulnerabilities. The only difference is the choice in vendor for your bugs.

    2. Re:At risk of what?? by omnichad · · Score: 2

      And yes. Reader has a sandbox, but that's only an extra layer - not foolproof.

    3. Re:At risk of what?? by NotInHere · · Score: 1

      What I wonder is why edge hasn't. I mean common, its initial release was in an age where chrome was the most popular browser, and chrome does run its pdf reader in a sandbox (afaik).

    4. Re:At risk of what?? by viperidaenz · · Score: 1

      Chrome runs it's PDF plugin in a separate process in a sandbox via PPAPI
      You could disable it an run PDF.js if you wanted to, which only uses standard HTML5 to render the PDF.

    5. Re:At risk of what?? by MightyMartian · · Score: 1, Insightful

      Edge is a steaming pile of shit. It has to be the worst browser by a major software developer in 20 years.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    6. Re:At risk of what?? by MobyDisk · · Score: 1

      What did Microsoft coed their PDF viewer in? Microsoft touts how managed code runs almost as fast as native and is perfectly safe. So why didn't they write their PDF code in it?

    7. Re:At risk of what?? by colinrichardday · · Score: 1

      Making satay with nutella instead of peanut sauce?

    8. Re:At risk of what?? by npslider · · Score: 1

      Actually, Microsoft has just patented a new solution. It's called MS CP. Know by it's long name: Microsoft Cellulose Pulp. This new product is impervious to all known attack vectors and requires no battery power to operate. This new technology will be available in the Second Anniversary Update, due out after the 18 month divorce update is released.

      On a side note, Amazon, maker of the Kindle Paper White, is suing MS for creating a product similar in name.

      Lawyers from Oracle have filed 1435 various lawsuits, unrelated to this product.

    9. Re:At risk of what?? by ConceptJunkie · · Score: 1

      Seems to me you can either use managed code or get work done.

      --
      You are in a maze of twisty little passages, all alike.
  3. Edge vs IE11 by Archfeld · · Score: 2

    I use Ubuntu and Windows10 for differing tasks, but I really dislike Edge, and I have since the beginning been using IE11 on Win10. Not that I am disputing it happens but I've not had my defaults reset from what I chose when I 'upgraded' my laptop from Win7 to Win10. In favor of Win10 both the sleep and hibernate function work well now, whereas under Win7 they froze or locked up quite frequently.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  4. Re:Microsoft is relentless in being obnoxious late by Anonymous Coward · · Score: 5, Insightful

    Because fuck you, that's why. - S. Nadella

  5. Microsoft: convenience over security by QuietLagoon · · Score: 5, Insightful

    ...Since Edge is not only the default browser in Windows 10, but also the default PDF reader...

    This is so wrong on so many levels.

    .
    But fundamentally, why, oh, why, is the browser being promoted to being a viewer of non-HTML documents?

    Convenience over security still seems to be the rule at Microsoft.

    Has Microsoft learned nothing in the past two decades?

    And Windows 10 was supposed to be the paradigm of security for Windows....

    1. Re:Microsoft: convenience over security by Anonymous Coward · · Score: 3, Informative

      I'll mention that Chrome I think was the first of the browsers to start the native PDF rendering without a plugin. In this case Microsoft is following Google's lead.

      Personally I haven't had my Windows 10 settings revert away from my alternate PDF reader that I set as the default viewer but with the we'll say 'quirks' of Windows 10 I'm not at all surprised if that has happened to people.

    2. Re:Microsoft: convenience over security by Luthair · · Score: 1

      With sandboxing Chrome has proven to be significantly safer than any of the other PDF readers.

    3. Re:Microsoft: convenience over security by Lunix+Nutcase · · Score: 2

      Ignoring that Firefox and Chrome were doing it first?

    4. Re:Microsoft: convenience over security by Anonymous Coward · · Score: 1

      Huh? Chrome PDF Viewer still is a plugin to this day. chrome://plugins/

    5. Re:Microsoft: convenience over security by roca · · Score: 1

      Other than pdf.js.

    6. Re:Microsoft: convenience over security by roca · · Score: 1

      Chrome and Firefox open PDFs that you browse to in those browsers with their PDF readers, not any PDF you get via email or whatever. So that's less attack surface.

      Furthermore, Firefox uses pdf.js which is basically a Web app, so there's almost no additional attack surface over just visiting a Web page ... which you were already using Firefox to do.

    7. Re:Microsoft: convenience over security by roca · · Score: 1

      The reason is pretty obvious, and it's not convenience. Microsoft needs to increase Edge usage however they can, and this is one way.

    8. Re:Microsoft: convenience over security by penguinoid · · Score: 1

      But fundamentally, why, oh, why, is the browser being promoted to being a viewer of non-HTML documents?

      For the best of reasons, convenience and user experience. OK, so in this particular case so Microsoft makes more money. But generally users want to view content as quickly and conveniently as possible, and displaying it within the browser while browsing makes a lot of sense. I wouldn't mind being able to view documents and spreadsheets in-browser either. If they do it right.

      On that note, I hope there's a particularly nasty place in hell for whoever decided to make Firefox's default pdf viewer so it only loads part of the file at a time, even if you look through the whole thing, and pretend to search but only search part of the document while pretending it searched the whole thing. Point being, if it is not done right then just use a working viewer rather than a half-assed crappy one.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    9. Re:Microsoft: convenience over security by e432776 · · Score: 1

      You might as well ask why the web browser was promoted to be being the file system browser also ;-) Seems like the browser is supposed to do all these days, even worse than back in the Win98 times. Its not even just Microsoft anymore, either. Yikes.

    10. Re:Microsoft: convenience over security by Desler · · Score: 1

      Wrong. In the ansence of another PDF Reader Chrome will open downloaded PDFs.

    11. Re:Microsoft: convenience over security by Anonymous Coward · · Score: 1

      It's bitztream, the autism-hating Slashdot troll!

    12. Re:Microsoft: convenience over security by WallyL · · Score: 1

      Oh, it is: Windows 10 is making Microsoft feel very secure!

    13. Re:Microsoft: convenience over security by macs4all · · Score: 1

      I'll mention that Chrome I think was the first of the browsers to start the native PDF rendering without a plugin. In this case Microsoft is following Google's lead.

      No. That would likely be OS X/macOS Safari.

      But that isn't surprising, since the OS has had system-wide native PDF read/write support since day one.

    14. Re:Microsoft: convenience over security by dbIII · · Score: 1

      Has Microsoft learned nothing in the past two decades?

      Due to staff turnover they have not. Hence WinME, Vista, Win8 when they have a new batch of people and Win2K/XP and Win7 when that batch have gained some experience.

    15. Re:Microsoft: convenience over security by toddestan · · Score: 1

      Probably pretty well. One of the reasons why PDF is such a security mess (other than Adobe) is because it has such a huge attack surface. There's tons of features, many of which are seldom used, that allows PDF to do almost anything (well, actually a lot of that is Adobe's fault, actually). Remove support for all of those features and you're going to have a much more secure program that will still work for 99%+ of PDF files out there.

  6. alternative by bloodhawk · · Score: 1, Insightful

    Yep I am sure it would be much safer people switching to the more preferred and common alternative of Adobe Reader. that never has vulnerabilities.

  7. Use Sumatra by zenlessyank · · Score: 1

    Case closed.

    1. Re:Use Sumatra by ChunderDownunder · · Score: 1

      I have time for an external viewer when pdf.js performs poorly on old hardware, whereas sumatra and atril don't choke.

    2. Re:Use Sumatra by Anonymous Coward · · Score: 1

      What year is this? Apparently the dark ages just called on the land-line and wants us to download a stand-alone PDF reader. LOLwut? We ain't got time fo' dat. Just click on the link in your browser. Chrome and Firefox both support PDF (R.I.P. Adobe).

      Yo dawg!
      I don't always want to fucking read the fucking pdf in my fucking browser, so I download it for later viewing in a proper program.

    3. Re:Use Sumatra by macs4all · · Score: 1

      What year is this? Apparently the dark ages just called on the land-line and wants us to download a stand-alone PDF reader. LOLwut? We ain't got time fo' dat. Just click on the link in your browser. Chrome and Firefox both support PDF (R.I.P. Adobe).

      Or just do it the right way, an build native PDF read/write support directly into the OS, like OS X/macOS has since day one. And yes, I realize they inherited that from NeXTStep; but that was SIXTEEN years ago, and STILL nobody else does it.

    4. Re:Use Sumatra by macs4all · · Score: 1

      Yeah, just what we need: another massive security vulnerability built into the OS. No thanks. Apple got this wrong. PDF belongs in a userspace sandbox.

      1. Then how come in SIXTEEN YEARS, no one has exploited the PDF services in OS X? 2. Apple != Adobe 3. Adobe's PDF vulnerabilities have been all, or mostly all, Userspace code. So now what?

  8. Re:Microsoft is relentless in being obnoxious late by Anonymous Coward · · Score: 5, Insightful

    Easy: it's ALL about money. What you want or need is *completely* irrelevant. Every update, they'll revert the privacy settings to spy on you more, they'll reinstall the metro/whatever apps you uninstalled because you WILL use the appy apps! Then they reset the defaults to those appy apps. All that, because they'll make 30% cut of the appy app sales. Now, be a good consumer and keep using Windows 10! It's been going in that direction steadily for 5 years (since Windows 8) and it'll keep getting worse. MS no longer cares to even pretend they care about what people want or need. Users are there for the milking and that is all.

  9. Re:Microsoft is relentless in being obnoxious late by TheGratefulNet · · Score: 3, Insightful

    MS is just doing what it thinks is the, uhm, needful.

    --

    --
    "It is now safe to switch off your computer."
  10. Re:Surprise surprise! by ArmoredDragon · · Score: 4, Informative

    I think the bigger surprise was that Microsoft claims that UWP apps are sandboxed, only they're not.

  11. Re:Microsoft is relentless in being obnoxious late by HouseOfMisterE · · Score: 3, Funny

    It could be worse, they could flag your preferred program as incompatible and helpfully uninstall it for you.

  12. I am fascinated by all the genius in this world by fustakrakich · · Score: 1

    And we still can't make a robust computer. But then I have to remind myself that we rode horses and even had the wheel for over ten thousand years before we invented an automobile with fine Corinthian Leather. So, I guess I should be patient.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:I am fascinated by all the genius in this world by Bite+The+Pillow · · Score: 1

      "So, I guess I should be patient."

      patient [pey-shuh nt] noun
      1.a person who is under medical care or treatment.
      2.a person or thing that undergoes some action.
      3.Archaic. a sufferer or victim.

      adjective
      4.bearing provocation, annoyance, misfortune, delay, hardship, pain, etc., with fortitude and calm and without complaint, anger, or the like.
      5.characterized by or expressing such a quality:
      a patient smile.
      6.quietly and steadily persevering or diligent, especially in detail or exactness:
      a patient worker.
      7.undergoing the action of another

      Origin of patient

      1275-1325; Middle English pacient (adj. and noun) Middle French Latin patient- (stem of patiÄ"ns), present participle of patÄ to undergo, suffer, bear; see -ent

    2. Re:I am fascinated by all the genius in this world by Anonymous Coward · · Score: 1

      And we still can't make a robust computer.

      I know that I will be stating the obvious to most Slashdot readers here, but apparently the parent doesn't get it. Modern computers are complex. Taken as a whole, modern computers and the software that they run are among the most complex devices ever devised by man. Imagine a machine with millions of moving parts that's highly intolerant of errors and you'll have some idea. We put up with this complexity and its inherent problems because the benefits of computing far outweigh the costs in most cases.

    3. Re:I am fascinated by all the genius in this world by silanea · · Score: 1

      Computers are complex, that is true. But firstly, quite a lot of this complexity is superfluous, the result of crappy engineering, feature creep and backwards compatibility to standards that should have been laid to rest decades ago. And secondly, yes, we are perfectly capable of building machines with several million parts of which a sizable portion moves which are highly intolerant of errors and still bringing down the defect rate to a manageable level. The IT world is the shanty town of the industrial sector, with few exceptions. Even the lucky players with more or less closed ecosystems like Apple make headlines every other week with blunders that in other industries would get people burnt at the stake. Yes, we make a conscious trade-off between crappiness and costs. But I am not in the least convinced we are drawing the line in the best place.

      --
      Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
    4. Re:I am fascinated by all the genius in this world by david_thornley · · Score: 1

      The 747, which you use as an example, is considerably less complex than a large software system because it's got a lot more locality and simple redundancy. Half the parts are fasteners, and fasteners have a local effect. It's easy to put redundant fasteners nearby so that the failure of one will not cause additional problems. It's a lot harder to do similar things in software. The 747 first flew in 1969, doing pretty much what it does now, and there's been a lot of development over more than forty-five years. I'd expect software that's been developed for forty-five years while not having functionality creep to be pretty solid, also.

      Most of the big splashy headaches about IT failures have to do with failures when attacked. Heartbleed was only significant because people deliberately found a vulnerability and exploited it. If a SAM brings down a 747, we don't blame Boeing. There's glitches in software, but then there's glitches in flight operations. Most of the rest are about really large projects that get mismanaged. (The ACA website was actually more successful than typical projects of its size, since it could be fixed into usefulness fairly quickly.) Really large mismanaged projects are not unique to software.

      The price-to-quality tradeoff is not made by software people, but rather by decision makers higher up. It may be that we aren't drawing the line in the right place, but the line is a result of thousands of individual management decisions.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  13. Re:Microsoft is relentless in being obnoxious late by fustakrakich · · Score: 1

    Why are they obviously purposefully reverting my settings?

    Think of it as early onset of dementia. Microsoft is just becoming a bit forgetful, and left its dentures in the refrigerator again.

    --
    “He’s not deformed, he’s just drunk!”
  14. Re: Microsoft is relentless in being obnoxious lat by hackwrench · · Score: 2

    When I'm buying old Win98/2000 books and am finding they mostly do a good enough job of teaching you how to make programs that are just as good if not better than the programs made using the most up-to-date libraries then something's very wrong.

  15. Re:Microsoft is relentless in being obnoxious late by Brett+Buck · · Score: 2

    Which I had mod point, certainly, you have nailed it.

  16. Re:Microsoft is relentless in being obnoxious late by Anonymous Coward · · Score: 1

    rename the edge executable and watch it fail instead of loading. You have to kill the persistent edge process and open a cmd prompt as administrator to do the deed.

    It's entirely ridiculous that I had to go to such lengths, but it worked.

  17. Re:Microsoft is relentless in being obnoxious late by subreality · · Score: 2

    Microsoft wants you to use Edge and wants their settings to stick. Why are you obviously purposefully reverting their settings? They go out of their way to create a normal default setting and you switch it back. Many times this has happened. There's no excuse for this horseshit.

    FTFY.

  18. Re:Microsoft is relentless in being obnoxious late by ayesnymous · · Score: 1

    I'm definitely sticking to Windows 7 then.

  19. Same old Microsoft policy by lapm · · Score: 1

    So Microsoft still continues old ways of Swiss cheese out f box practise. No offence to real Swiss cheese, its actually very good cheese. Considering how massive amount of money Microsoft has and how they could hire best programmers, etc... Im surprised they still keep making same damn mistakes again and again. Almost like design practise is: Lets sell them broken product and then release fix to some issues later...

  20. Re:Surprise surprise! by mwvdlee · · Score: 2

    They should first finish the browser before trying to compete.
    Last time I checked, Edge didn't support desktop drag&drop, which all major browsers (including Internet Explorer) have for many years.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  21. Re:Microsoft is relentless in being obnoxious late by dremon · · Score: 2

    > MS no longer cares to even pretend they care about what people want or need. Users are there for the milking and that is all.

    How is that different from any profit organization?

  22. Re:Microsoft is relentless in being obnoxious late by bhcompy · · Score: 1

    I've had absolutely zero trouble with settings sticking or Edge being magically reset to the default browser. Installed FF and Foxit on day one and have never had that change.

  23. Re:Microsoft is relentless in being obnoxious late by Alumoi · · Score: 2

    Nanny knows best!

  24. Re:Microsoft is relentless in being obnoxious late by Alumoi · · Score: 2

    Damn it man, don't give them ideas.

  25. Re:Microsoft is relentless in being obnoxious late by Actually,+I+do+RTFA · · Score: 1

    Because Facebook conditioned people to expect settings to reset randomly. So why wouldn't companies take advantage of that?

    --
    Your ad here. Ask me how!
  26. Re:Microsoft is relentless in being obnoxious late by squiggleslash · · Score: 2

    Did you disable Windows Update? I've seen Edge reset to default under two conditions:

    1. If there's a problem with my default settings, for example when I upgraded Firefox to the 64 bit version and uninstalled the 32 bit version because the two interfered. Not only would it not let me set Firefox as the default any more using the Windows 10 interface (the old Windows 7 defaults window, which is still available but hidden, worked) but it reset everything to Edge until I found the latter workaround.

    2. Whenever a "Big" update occurs, such as the Fall Update and Anniversary Updates.

    The first is completely understandable (minus the not being allowed to select Firefox using the Windows 10 UI). The second... not so much.

    --
    You are not alone. This is not normal. None of this is normal.
  27. Well, yes and no... by tkrotchko · · Score: 1

    "Annoying 'Open PDF In Edge' Default Option Puts Windows 10 Users At Risk "

    Only for the few Windows 10 users who use Edge.

    You have two types of Windows 10 users... those who use Chrome, and those who still want to use IE.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
    1. Re:Well, yes and no... by ArtemaOne · · Score: 1

      Browsing brought to you by advertisers, or the big OS company? I'll skip those two options. Seems like a Clinton/Trump kind of choice to me.

  28. So what is the "best" PDF display choice for Win10 by swb · · Score: 1

    What is the best PDF display choice for Windows 10?

    I'll admit to using Edge just out of sheer laziness on a fairly new Win 10 laptop just to avoid Acrobat Reader. From file explorer, I usually point them to Chrome.

    It seemed like for years Reader was a big security problem. The last time I looked at third party PDF display software, it was a maze of spyware and nagware with no obvious great replacement.

  29. Thanks so much, Microsoft assholes by kheldan · · Score: 1

    Force your shit OS down everyone's throat
    Claim the spying and pnwage of people's computer is 'for their own protection'
    Claim forcing updates on everyone is 'for their own protection'
    Still manage to get pwned by hackers

    Microsoft, you fucking fail IN SO MANY WAYS that I can't even begin to count them. You didn't 'improve' anything. You didn't 'secure' anything. You're not 'protecting' users. You just forced your gods-be-damned piece of shit OS on everyone like a gods-be-damned date-rapist, and didn't even bother using a gods-be-damned CONDOM when you did the dirty deed. FUCK THE HELL OFF, MICROSOFT!

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  30. Re:Microsoft is relentless in being obnoxious late by colinrichardday · · Score: 1

    Moral: Quit trying to change the way Microsofts computer runs and use it the way you are supposed to.

    Ah, rebooting into Ubuntu.

  31. Re:Microsoft is relentless in being obnoxious late by erapert · · Score: 2

    If you're not using Linux or a similarly rights-respecting OS then you're literally one of the reasons this is happening.

    Fools stay in an abusive relationship and complain about it.

  32. It gets worse by Espectr0 · · Score: 1

    If you actually try to install a third party app to handle PDF's, (tested with sumatrapdf), windows 10 will intercept the file association change and revert it because it sees it as a hacking attempt. You must change it manually by going to the Default Programs option.

    --
    Open Source Java Web Forum with LDAP authentication
  33. Re:Microsoft is relentless in being obnoxious late by bhcompy · · Score: 1

    I have not disabled Windows Update and I have installed the Anniversary Update without any change.

    Now, setting new defaults through the Windows 10 interface is difficult, and, yes, you must use the Windows 7 interface to do so. That is pretty shitty. I went through it the other day to change defaults and noticed you couldn't pick an executable, only from their preset list of apps through the Windows 10 setup control.

  34. Re:Microsoft is relentless in being obnoxious late by Sparowl · · Score: 1

    He isn't. Microsoft already has papers written up with that idea in mind.

  35. Re:Softpedia by lister+king+of+smeg · · Score: 1

    What is up with the Softpedia? Isn't that the website that distributes malware laden software?

    I though that was sourceforge

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  36. Re:Microsoft is relentless in being obnoxious late by ConceptJunkie · · Score: 1

    They already did it with the Windows 10 Anniversary update, which helpfully uninstalls Classic Shell so they pump ads at through that abomination of visual vomit that replaced the Start Menu.

    --
    You are in a maze of twisty little passages, all alike.
  37. Change default PDF setting by sandra_diaz1001 · · Score: 1

    The best way to solve this problem is to change default PDF viewer setting & open PDF in any supported viewer like Microsoft Edge, Adobe Reader & Adobe DC. Follow the step in the blog of PDF file not opening in Microsoft Edge. To change default PDF viewer setting.