A high-severity vulnerability in Google’s Chrome browser that allows attackers to execute code on targeted systems via a PDF exploit has been patched by Google.
Researchers at Cisco said users were at risk if they were enticed to view a specially crafted PDF document with an embedded jpeg2000 image within Google’s Chrome default PDF viewer, called PDFium.
“Being fairly easy for an attacker to take advantage of this vulnerability, the most effective attack vector is for the threat actor to place a malicious PDF file on a website then redirect victims to the website using either phishing emails or even malvertising,” wrote the Cisco Talos team in a technical description of the vulnerability publicly disclosed on Thursday.
The bug was reported to Google on May 19. Google shipped an updated “stable” version of Chrome (51.0.2704.63) on May 25 that fixed the flaw. Google automatically updates browser code, but in order for updates to be installed users must restart their Chrome browser.
Classified as a high-risk heap-based buffer overflow vulnerability, the flaw was in PDFium in Google Chrome before 51.0.2704.63, according to the Common Vulnerabilities and Exposures description. Also vulnerable to attack are all git versions of PDFium used by the open source community, according to Cisco Talos.
Foxit Software, which developed the PDF rendering engine used in the Google Chrome browser, also patched its git PDFium version within the same timeframe as Google, Cisco Talos said. Google added the PDFium component to the Chrome browser in 2014 as part of its open-source software library project. It’s unclear how long the PDFium vulnerability has existed or if it has been exploited in a real world attack.
The PDFium exploit (CVE-2016-1681) was discovered by Talos researcher Aleksandar Nikolic who was awarded $3,000 for the discovery through Google’s bug bounty program, according to a Google blog post.
Cisco Talos said the heap overflow flaw is triggered by a simple embedded jpeg2000 image within the PDF. “A heap buffer overflow vulnerability is present in the jpeg2000 image parser library as used by the Chrome’s PDF renderer, PDFium. The vulnerability is located in the underlying jpeg2000 parsing library, OpenJPEG, but is made exploitable in case of Chrome due to special build process,” wrote Cisco Talos.
According to Cisco Talos, the vulnerability was easily fixed by changing an “assert” programming instruction to an “if” statement which prevents the heap overflow.