Industry News

How a boobytrapped PDF file could exploit your Chrome Browser – and it’s not Adobe’s fault!

It used to be one of the biggest irritations on the web. You would be visiting a website, click on a link and then – without warning – find that Adobe Acrobat Reader was cranking into action, in order to show you the PDF file that the site wanted you to see.

Many was the time when I muttered under my breath that the least the site could have done was warn me that I was about to click on a .PDF file, so I could make an informed decision for myself.

Part of my complaint wasn’t that it was just a pain reading Acrobat PDF files on the web – it was also potentially dangerous.  Over the years there have been many many instances of malicious hackers exploiting vulnerabilities in Adobe’s Acrobat Reader, boobytrapping their PDF files by embedding – for instance – Javascript code that would conduct unauthorized actions and compromise PCs.

So when browsers began to include alternative PDF readers in their code, such as PDFium which comes with Google Chrome web browser, there was something of a sigh of relief.  A different code base meant that – hopefully – the Chrome PDF reader wouldn’t be vulnerable to the same exploits as Adobe’s version, and one would hope that the user experience of opening PDF files would be a lot more streamlined too.

However, that improved user experience may have inevitably resulted in some users thinking that PDF files were somehow now safe.

But, as we know all too well, there is no such thing as bug-free code.  And sure enough this week it has been revealed that PDFium, Chrome’s default PDF reader, contained an exploitable vulnerability (known as CVE-2016-1681) that could have resulted in malicious code being run on innocent users’ systems.

For the attack to take place, all the user had to do was view a PDF file that included a specially-crafted JPEG2000 image embedded within it.  According to researchers at Cisco Talos, an attacker could plant a malicious PDF on website, and then redirected potential victims to it via malicious email links or malvertising.

Interestingly, the vulnerability does not lie in Chrome’s own code, or that of PDFium, but in the OpenJPEG library that is used to handle the display of JPEG2000 files, as Cisco’s Aleksander Nikolic explains:

“A heap buffer overflow vulnerability is present in the jpeg2000 image parser library as used by the Chrome’s PDF renderer, PDFium. The vulnerability is located in the underlying jpeg2000 parsing library, OpenJPEG, but is made exploitable in case of Chrome due to special build process.”

The significance of the bug is perhaps heightened by the fact that many security solutions generically look for attempts to exploit PDF files with embedded Javascript, but may be less likely to spot a maliciously-formed image buried inside a PDF file.

Google patched its code when it released Chrome 51.0.2704.63 on May 25th, and has issued updates of other security issues since.  Aleksander Nikolic who responsibly disclosed details of the flaw to Google was awarded a $3,000 bug bounty for his efforts.

Users of Google Chrome are reminded to ensure that they are running Google Chrome 51.0.2704.63 or later.  The browser does automatically update itself – which is great – but you should restart your browser to make certain that you are running the latest edition.

Remember – aside from running a comprehensive anti-virus solution, you should always be careful about the links you click on, and keep your software updated with the latest patches.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *

  • Yes it most certainly is Adobe's fault! At least.. indirectly. It's sort of their creation, after all. But that aside, I never did understand why anyone thought it even remotely (okay, or locally!) close to a good idea to allow content like this to have executable code (or rather say: viewers that executed code). I can sort of see it for e.g. slide shows but barely. Unsure on PDF… I'm not sure I view it as useful but of course convenience XOR security isn't far off the mark. That any image viewer could run code however I find completely unacceptable yet it's happened as I recall. No comment on macros in MS Office (for example).

    Lastly, on the subject of this CVE in particular:

    'but you should restart your browser to make certain that you are running the latest edition.'

    This is true BUT remember also that unless Chrome statically links in the library (the vulnerable one) then IF it's installed in the system (instead of Chrome loading in its own copy) then you'll also want to restart the browser after updating the library! I don't know how they package it as I use Firefox only (with noscript and various other plugins) but something to keep in mind!

  • Both the Premium AND Free versions of Malwarebytes Anti-Exploit software will protect from these web browser exploits.