Chrome users who haven't restarted their browser recently should do so immediately to receive a patch for a high-severity flaw in the browser's built-in PDF reader. Attackers could execute arbitrary code on the user's system by tricking them into opening a PDF document containing a malicious image, according to researchers at Cisco Talos.
"The most effective attack vector is for the threat actor to place a malicious PDF file on a website and then redirect victims to the website using either phishing emails or even malvertising," Cisco Talos wrote in a blog post disclosing the vulnerability.
The heap buffer overflow (CVE-2016-1681) is present in the jpeg2000 image parser library used by PDFium, Chrome's default PDF reader. The flaw is located in the underlying jpeg2000 parsing library OpenJPEG, in j2k.c's opj_j2k_read_SPCod_SPCoc function. While an assert call prevents the heap overflow in standalone builds, Google uses a special build process that omits assertions, making the flaw exploitable in Chrome.
With attackers relying on weaponized PDF documents to target vulnerabilities in Adobe Reader, several browser makers have built-in PDF readers so that users don't have to install plugins. However, just because these are built-in readers doesn't mean users still don't have to be careful about opening PDF files they receive via email attachments or they download from the Internet.
Google follows the automatic update model to keep Chrome on Windows and Macs up-to-date, which means most users are already on the latest version of the browser and are protected. That is, assuming they've restarted their browsers at least once since May 25. However, many organizations disable auto-updates in order to test new versions of Chrome on their networks before deploying them to endpoints. IT should prioritize testing and make sure users are running Chrome 51.0.2704.63 (released May 25) or even Chrome 51.0.2704.79 (released June 1) to address this flaw.
"It is fairly easy for an attacker to take advantage of this vulnerability," Cisco Talos wrote. Attackers could use a specially crafted PDF document to execute code to cause a denial of service or some other attack.
As part of the research, Cisco Talos embedded a jpeg2000 image that had its SIZ market truncated in a PDF file. Since the number of components specified in the SIZ marker in this malicious image is 0 and it isn't followed by individual component information, the code for parsing the jpeg file makes an erroneous call. The only difference between a valid jpeg2000 file and a malicious one targeting this vulnerability is the fact that SIZ marker specifies 0 components, Cisco Talos said.
Google assigned a CVSS 3.0 score of 6.3 to the flaw, and paid Aleksandar Nikolic of Cisco Talos $3,000 for reporting the vulnerability.
PDF documents are a fact of life for most users nowadays, so always think twice before opening them. Make sure reports are from reputable sources and exercise extreme caution before opening unsolicited documents. Some business functions -- such as recruiting -- are especially at risk since the role requires opening PDF files (such as resumes) which are sent unsolicited (from potential job candidates).
While built-in readers in browsers have gone a long way toward making it safer to open PDF files from the Internet, this vulnerability report is a timely reminder that even built-in readers can be vulnerable. Stay current with regular software updates, whether by restarting the browser on a regular basis or installing the updates as soon as they are available.