Windows 10 update fixes RCE bug in standard PDF library

Aug 9, 2016 21:05 GMT  ·  By
Opening PDF files in Edge on Windows 10 can be dangerous without MS16-102 installed
2 photos
   Opening PDF files in Edge on Windows 10 can be dangerous without MS16-102 installed

Microsoft has released today its monthly security patch, and one of the five security bulletins labeled as critical concerns a remote code execution (RCE) flaw in its standard PDF rendering library that could be exploited when opening PDF files.

The issue, tracked as CVE-2016-3319, is found in the Microsoft Windows PDF Library, the default Windows utility used to open, read, and render PDF files, embedded by default in a couple of apps such as Edge.

An attacker could craft malicious code, add it to the header of a PDF file, and host the file on a Web server.

CVE-2016-3319 exploitation is trivial

If the attacker managed to trick a user into accessing the PDF file link by means of social engineering, which can be a trivial task, the exploit code would cause a memory corruption issue, which, in turn, would allow the attacker to execute custom code on the Windows machine.

The issue is exacerbated by the fact that Windows 10 uses Edge as the default, out-of-the-box browser.

Additionally, Edge is also the default Windows 10 app for opening PDF files, meaning this flaw could be exploited even if the user uses another default browser, such as Firefox, which asks users with what application to open PDF files.

Windows updates that reset default app preferences reopen the vulnerability

Even worse, Microsoft has the annoying habit of resetting your personal app preferences once in a blue moon, always reverting Edge as the default browser and the default app to open PDF files.

This intrusive behavior exposed Windows users to unnecessary exploitation, but the good news is that Microsoft recognized this problem and fixed the RCE flaw as a top priority in MS16-102.

CVE-2016-3319 also affects Windows 8.1 and Windows Server 2012, where the vulnerable library is also deployed. Exploitation of these operating systems is not as easy as tricking a user into accessing a URL via Edge, like in Windows 10.

If you can't update your OS just yet, there are mitigation techniques to prevent some exploitation scenarios, described by Microsoft in its security bulletin MS16-102.

Edge set as default app for opening PDF files on Windows 10
Edge set as default app for opening PDF files on Windows 10

Photo Gallery (2 Images)

Opening PDF files in Edge on Windows 10 can be dangerous without MS16-102 installed
Edge set as default app for opening PDF files on Windows 10
Open gallery