Google patches high-severity flaw in Chrome's PDF reader

From InfoWorld: Chrome users who haven't restarted their browser recently should do so immediately to receive a patch for a high-severity flaw in the browser's built-in PDF reader. Attackers could execute arbitrary code on the user's system by tricking them into opening a PDF document containing a malicious image, according to researchers at Cisco Talos.

"The most effective attack vector is for the threat actor to place a malicious PDF file on a website and then redirect victims to the website using either phishing emails or even malvertising," Cisco Talos wrote in a blog post disclosing the vulnerability.

The heap buffer overflow (CVE-2016-1681) is present in the jpeg2000 image parser library used by PDFium, Chrome's default PDF reader. The flaw is located in the underlying jpeg2000 parsing library OpenJPEG, in j2k.c's opj_j2k_read_SPCod_SPCoc function. While an assert call prevents the heap overflow in standalone builds, Google uses a special build process that omits assertions, making the flaw exploitable in Chrome.

With attackers relying on weaponized PDF documents to target vulnerabilities in Adobe Reader, several browser makers have built-in PDF readers so that users don't have to install plugins. However, just because these are built-in readers doesn't mean users still don't have to be careful about opening PDF files they receive via email attachments or they download from the Internet.

View: Article @ Source Site