Update Chrome ASAP Because Google Fixed a Serious Flaw in the Browser’s Default PDF Viewer
A serious vulnerability in Chrome allowed hackers to execute arbitrary code on a target computer by using PDF documents.
Chrome’s arbitrary code execution flaw in the default PDF viewer
Researchers at Cisco Talos limb have discovered an arbitrary code execution flaw in PDFium – the default PDF reader that Google installs automatically in the Chrome browser. Discovered by Aleksandar Nikolic of Cisco, CVE-2016-1681 is a heap buffer overflow that affects PDFium. The vulnerability in the jpeg2000 image parser library (OpenJPEG) triggered an exploitable heap buffer overflow. Researcher said an attacker could have exploited this flaw for arbitrary code execution by embedding a specially crafted jpeg2000 image in a PDF document.
By just viewing a PDF document that includes an embedded image, attacker could have achieved code execution on a target system. A hacker could “place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising,” achieving code execution capabilities.
The flaw is a small error made by Chrome’s developers, Nikolic wrote in a blog post. “An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted.” When PDFium invoked the OpenJPEG library, this omission created a buffer overflow, letting criminal hackers to start doing their own things.
Nikolic has confirmed that Google has patched the flaw, with a single line of code, “promoting a problematic `assert` to an `if` statement.” The researcher informed Google about the bug on May 19th, which the search giant promptly fixed on May 25th, rating the vulnerability as high severity. Nikolic was awarded $3,000 for the bug findings.
Users are recommended to update their Chrome browsers to the very latest version 51.0.2704.63 to benefit from this and 41 other security patches.