Windows Built-in PDF Reader Exposes Edge Browser to Hacking

[Exterminator]

Content source

http://news.softpedia.com/news/windows-built-in-pdf-reader-exposes-edge-browser-to-hacking-501265.shtml

WinRT PDF, the default PDF reader for Windows 10, leaves Edge users vulnerable to a new series of attacks that are incredibly similar to how Flash, Java, and Acrobat have exposed Web users in the past few years.

The Windows Runtime (WinRT) PDF Renderer library, or just WinRT PDF, is a powerful component built into recent Windows OS versions that allows developers to easily integrate a PDF viewing feature inside their apps.

The library is used for many apps distributed via the Windows Store, the default Reader App included in Windows 8 and 8.1, and even with Edge, Microsoft's latest Web browser.

Hackers can abuse WinRT PDF for drive-by attacks
Mark Vincent Yason, security researcher with IBM's X-Force Advanced Research team, has discovered that WinRT PDF can be leveraged in drive-by attacks in the same way attackers used Flash or Java in the past.

Since WinRT PDF is Edge's default PDF reader, any PDF file embedded inside a Web page will be opened within the library. A clever attacker can contain a WinRT PDF exploit within their PDF file, which could be secretly opened using an iframe positioned off screen with CSS.

The malicious code would execute and exploit the WinRT PDF vulnerability in the same way exploit kits like Angler or Neutrino deliver Flash, Java, or Silverlight payloads.

All that an attacker needs to do is find and create a database of WinRT vulnerabilities it could leverage to distribute their malware via this new attack surface.

Hold your horses, everyone!
"A major factor that will affect when and how often we see in-the-wild exploits for WinRT PDF vulnerabilities depends on how difficult it is to exploit them," Mr. Yason explains.

He says that because Windows 10 implemented former EMET features such as ASLR protection and Control Flow Guard, this "makes the development of exploits for WinRT PDF vulnerabilities time-consuming and therefore costly for an attacker."

Mr. Yason will be come up with a more in-depth presentation of this attack surface at this year's RSA security conference in San Francisco.

 

[DJ Panda]

Good thing I use Malwarebytes Anti-Exploit.

 

[milas]

Oh do I need Malwarebytes Anti Exploit if I have an Anti virus? Well?

 

[DJ Panda]

Depends some anti-viruses don't have exploit protection.

 

[kev216]

It doens't seem that Edge is better than in comparison with Internet Explorer.Same security holes.

 

[DJ Panda]

I mean if the PDF thing becomes too much of a security issue. Microsoft may remove it. I use Adobe and almost never use Edge anyway.

 

[orangenbaumblatt]

I mean if the PDF thing becomes too much of a security issue. Microsoft may remove it. I use Adobe and almost never use Edge anyway.

I personally think Adobe Reader isn't much better in terms of exploits

 

[hjlbx]

Any and all applications are subject to vulnerability exploits. That is why it is recommended to use an anti-exploit as part of your security config.

An anti-exploit isn't an absolute necessity if you use other software that will detect\block the dropper and\or the execution of trusted, but vulnerable Windows applications - such as powershell.exe, RegAsm.exe, etc. Such softs include AppGuard, NVT ERP, Bouncer, SOB, EAM, etc. To deal with an exploit it requires understanding of malware behaviors - so it is best for typical user to use a good anti-exploit.

On W10, probably the best anti-exploit is HitmanPro.Alert - since one can easily protect Microsoft Edge and other Windows Apps by adding them to the list of protected apps. Plus, HMP.A is very light on system resources and has the bonus of including HMP companion scanner.

 

[Raul90]

Any and all applications are subject to vulnerability exploits. That is why it is recommended to use an anti-exploit as part of your security config.

An anti-exploit isn't an absolute necessity if you use other software that will detect\block the dropper and\or the execution of trusted, but vulnerable Windows applications - such as powershell.exe, RegAsm.exe, etc. Such softs include AppGuard, NVT ERP, Bouncer, SOB, EAM, etc. To deal with an exploit it requires understanding of malware behaviors - so it is best for typical user to use a good anti-exploit.

On W10, probably the best anti-exploit is HitmanPro.Alert - since one can easily protect Microsoft Edge and other Windows Apps by adding them to the list of protected apps. Plus, HMP.A is very light on system resources and has the bonus of including HMP companion scanner.

-- Very well said there hjlbx
Too bad HMP.A isn't free. NVT ERP + MBAE free can suffice as freeware alternative.

 

[hjlbx]

-- Very well said there hjlbx
Too bad HMP.A isn't free. NVT ERP + MBAE free can suffice as freeware alternative.

NVT ERP is gold. Just add all required vulnerable processes (see SubTee online): GitHub - subTee/ApplicationWhitelistBypassTechniques: A Catalog of Application Whitelisting Bypass Techniques

Remember, add both System32 and SysWOW64 directories for both system processes and NET assemblies.

Keep on top of Windows processes that are newly being abused.

Configuring NVT ERP vulnerable process list is not as big of rigmarole as it seems...

 

[Raul90]

NVT ERP is gold. Just add all required vulnerable processes (see SubTee online): GitHub - subTee/ApplicationWhitelistBypassTechniques: A Catalog of Application Whitelisting Bypass Techniques

Remember, add both System32 and SysWOW64 directories for both system processes and NET assemblies.

Keep on top of Windows processes that are newly being abused.

Configuring NVT ERP vulnerable process list is not as big of rigmarole as it seems...

--Thanks for the list there guru! Hope you can make some sort of a best config setup (with the list you have given) so other members can appreciate NVT ERP more

 

[hjlbx]

--Thanks for the list there guru! Hope you can make some sort of a best config setup (with the list you have given) so other members can appreciate NVT ERP more

All anyone needs to do is add all the processes given in the list.

NET assemblies are found in each version folder - e.g. RegAsm.exe can be found in v 1, v 3, v 4 folders - NETframe and NETframex64.

What is on a system and where depends upon OS version.

I use UltraSearch to locate all the *.exe files in the list.

UltraSearch makes it more easy, but once you learn where to look - then it becomes even easier.