Chrome users who haven't restarted their browser recently should do so immediately. They will receive a patch for a high-severity flaw in the browser's built-in PDF reader. Attackers could execute arbitrary code on the user's system by tricking them into opening a PDF document containing a malicious image, according to researchers at Cisco Talos.
Researchers have discovered an arbitrary code execution flaw in PDFium. PDFium is the default PDF reader that Google installs automatically in the Chrome browser. Discovered by Aleksandar Nikolic of Cisco, CVE-2016-1681 is a heap buffer overflow that affects PDFium. The vulnerability is in the jpeg2000 image parser library (OpenJPEG). It triggered an exploitable heap buffer overflow. Researcher said an attacker could have exploited this flaw for arbitrary code execution. Simply by embedding a specially crafted jpeg2000 image in a PDF document.
By just viewing a PDF document that includes an embedded image, attacker could have achieved code execution on a target system. A hacker could “place a malicious PDF file on a website and then redirect victims to the website using either phishing emails or even malvertising,” achieving code execution capabilities.
The flaw is a small error made by Chrome’s developers, Nikolic wrote in a blog post. “An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted.” When PDFium invoked the OpenJPEG library, this omission created a buffer overflow. It let criminal hackers to start doing their own things.
Nikolic has confirmed that Google has patched the flaw, with a single line of code. By “promoting a problematic `assert` to an `if` statement”. The researcher informed Google about the bug on May 19th, which the search giant fixed on May 25th, rating the vulnerability as high severity. Nikolic was awarded $3,000 for the bug findings.
Bug fixed, with fix publicly available in chromium
|2016-05-25||Bug fix shipped in Chrome Stable 51.0.2704.63|
|2016-06-08||Talos releases details|
Users are recommended to update their Chrome browsers to the latest version 51.0.2704.63 to benefit from this and 41 other security patches.
While built-in readers in browsers have gone a long way toward making it safer to open PDF files from the Internet. This vulnerability report is a timely reminder that even built-in readers can be vulnerable. Stay current with regular software updates, whether by restarting the browser on a regular basis or installing the updates as soon as they are available.