How a boobytrapped PDF file could exploit your Chrome Browser - and it's not Adobe's fault!

It used to be one of the biggest irritations on the web. You would be visiting a website, click on a link and then – without warning – find that Adobe Acrobat Reader was cranking into action, in order to show you the PDF file that the site wanted you to see.

Many was the time when I muttered under my breath that the least the site could have done was warn me that I was about to click on a .PDF file, so I could make an informed decision for myself.

Part of my complaint wasn’t that it was just a pain reading Acrobat PDF files on the web – it was also potentially dangerous. Over the years there have been many many instances of malicious hackers exploiting vulnerabilities in Adobe’s Acrobat Reader, boobytrapping their PDF files by embedding – for instance – Javascript code that would conduct unauthorized actions and compromise PCs.

So when browsers began to include alternative PDF readers in their code, such as PDFium which comes with Google Chrome web browser, there was something of a sigh of relief. A different code base meant that – hopefully – the Chrome PDF reader wouldn’t be vulnerable to the same exploits as Adobe’s version, and one would hope that the user experience of opening PDF files would be a lot more streamlined too.

However, that improved user experience may have inevitably resulted in some users thinking that PDF files were somehow now safe.

But, as we know all too well, there is no such thing as bug-free code. And sure enough this week it has been revealed that PDFium, Chrome’s default PDF reader, contained an exploitable vulnerability (known as CVE-2016-1681) that could have resulted in malicious code being run on innocent users’ systems.

For the attack to take place, all the user had to do was view a PDF file that included a specially-crafted JPEG2000 image embedded within it. According to researchers at Cisco Talos, an attacker could plant a malicious PDF on website, and then redirected potential victims to it via malicious email links or malvertising.

Interestingly, the vulnerability does not lie in Chrome’s own code, or that of PDFium, but in the OpenJPEG library that is used to handle the display of JPEG2000 files, as Cisco’s Aleksander Nikolic explains:

“A heap buffer overflow vulnerability is present in the jpeg2000 image parser library as used by the Chrome’s PDF renderer, PDFium. The vulnerability is located in the underlying jpeg2000 parsing library, OpenJPEG, but is made exploitable in case of Chrome due to special build process.”

The significance of the bug is perhaps heightened by the fact that many security solutions generically look for attempts to exploit PDF files with embedded Javascript, but may be less likely to spot a maliciously-formed image buried inside a PDF file.

Google patched its code when it released Chrome 51.0.2704.63 on May 25th, and has issued updates of other security issues since. Aleksander Nikolic who responsibly disclosed details of the flaw to Google was awarded a $3,000 bug bounty for his efforts.

Users of Google Chrome are reminded to ensure that they are running Google Chrome 51.0.2704.63 or later. The browser does automatically update itself – which is great – but you should restart your browser to make certain that you are running the latest edition.

Remember – aside from running a comprehensive anti-virus solution, you should always be careful about the links you click on, and keep your software updated with the latest patches.