A tricky vulnerability patched today in the Windows PDF Library could have put Microsoft Edge users on Windows 10 systems at risk for remote code execution attacks.
Edge automatically renders PDF content when it’s set as a computer’s default browser, unlike most other browsers; the feature means that exploits would execute by simply viewing a PDF online. While this bug has not been publicly disclosed nor attacked, it’s expected to be an attractive attack vector for hackers.
Microsoft patched this flaw in MS16-102, one of four critical security bulletins it published today. The vulnerability, CVE-2016-3319, when exploited corrupts memory and allows an attacker to run arbitrary code with the same privileges as the user. Microsoft said attackers could either lure victims to a site containing a malicious PDF, or add an infected PDF to a site that accepts user-provided content.
“Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content,” Microsoft said in its advisory. “Instead, an attacker would have to convince users to open a specially crafted PDF document, typically by way of an enticement in an email or instant message or by way of an email attachment.”
Microsoft suggested that organizations could remove Edge from the PDF reader default type association as a temporary workaround.
“It hasn’t been publicly disclosed, although with the prevalence of PDF format, it’s a safe bet that this going to live in the attacker’s toolkits for years to come,” said Jon Rudolph, principal software engineer at Core Security.
The flaw, privately disclosed by Aleksandar Nikolic of Cisco Talos, is also listed in MS16-096, a separate critical update for Edge that addresses five remote code execution vulnerabilities and three information disclosure flaws. In addition to the PDF flaw, the remaining remote code execution bugs are memory corruption issues and a separate bug in the Chakra JavaScript engine.
Microsoft also published its customary monthly cumulative security update for Internet Explorer. MS16-095 patches remote code execution and information disclosure flaws in the browser, including most of the same CVEs patched in the Microsoft Edge bulletin.
Another bulletin rated critical, MS16-097, addresses three remote code execution vulnerabilities in the Microsoft Graphics Component found in Windows, Office, Skype for Business and Lync. The problem lies in the way the Windows font library handles specially crafted embedded fonts, Microsoft said.
The final critical bulletin, MS16-099, includes patches for four memory corruption issues that could lead to remote code execution in Office going back to Office 2007 and including Office 2016 for Windows and Mac. The bulletin also includes a patch for an information disclosure vulnerability in Microsoft OneNote, which Microsoft said, discloses memory contents, information that could be used to compromise a machine.
For the second month in a row, Microsoft released a security update for Secure Boot. Rated important, MS16-100 patches a security feature bypass bug that happens when Secure Boot improperly loads a vulnerable boot manager, Microsoft said.
“An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device,” Microsoft said in its advisory. “Furthermore, the attacker could bypass Secure Boot Integrity Validation for BitLocker and Device Encryption security features.”
The remaining bulletins are rated important by Microsoft:
technet.microsoft.com/library/security/MS16-095
technet.microsoft.com/library/security/MS16-096
technet.microsoft.com/library/security/MS16-097
technet.microsoft.com/library/security/MS16-098
technet.microsoft.com/library/security/MS16-099
technet.microsoft.com/library/security/MS16-100
technet.microsoft.com/library/security/MS16-101
technet.microsoft.com/library/security/MS16-102
technet.microsoft.com/library/security/MS16-103