Chrome Zero-Day Exploited to Harvest User Data via PDF Files

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Exploit detection service EdgeSpot says it has spotted several PDF documents that exploit a zero-day vulnerability in Chrome to collect information on users who open the files through Google’s web browser.

EdgeSpot claims to have identified several samples in the wild. When one of the PDFs is opened with Chrome, a document is shown to the user, but various pieces of information are collected and sent to a remote server in the background.

Researchers say there is no suspicious activity when the files are opened using a viewer such as Adobe Reader, but outbound traffic has been detected when they are opened with Chrome.

EdgeSpot says the specially crafted documents, which have been observed since late December, collect data such as IP address, operating system and Chrome versions, and the full path of the PDF file on the victim’s system.
EdgeSpot said it reported its findings to Google on December 26. However, it claims that Chrome developers only plan on rolling out a fix in late April. SecurityWeek has reached out to Google for comment and will update this article if the company responds.

“We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away,” EdgeSpot said.

Until a patch is released, users have been advised to avoid opening suspicious PDF documents via Chrome and use other PDF viewers.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
The info harvested by this exploit could be useful in a targeted attack against a high-value target, such as a large corporation or a government body. But it will not harm the home user. Just because someone knows your IP doesn't mean you are pwned.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Why the heck is the pdf component not sandboxed?
Sandboxing the PDF component will not stop it from seeing the file path on the computer. That is all it does. It sees the path of the PDF, and your IP. It does not make any changes to the system.

Running Chrome in Sandboxie or ReHIPS or Comodo sandbox would not stop this exploit, AFAIK, but it would give the attackers the path in the sandboxed location, instead of the real user space.

This is high-level spy stuff, it is not a threat to the world's billion Chrome users.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top