A tricky vulnerability patched today in the Windows PDF Library could have put Microsoft Edge users on Windows 10 systems at risk for remote code execution attacks.
Edge automatically renders PDF content when it’s set as a computer’s default browser, unlike most other browsers; the feature means that exploits would execute by simply viewing a PDF online. While this bug has not been publicly disclosed nor attacked, it’s expected to be an attractive attack vector for hackers.
Microsoft patched this flaw in MS16-102, one of four critical security bulletins it published today. The vulnerability, CVE-2016-3319, when exploited corrupts memory and allows an attacker to run arbitrary code with the same privileges as the user. Microsoft said attackers could either lure victims to a site containing a malicious PDF, or add an infected PDF to a site that accepts user-provided content.
“Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content,” Microsoft said in its advisory. “Instead, an attacker would have to convince users to open a specially crafted PDF document, typically by way of an enticement in an email or instant message or by way of an email attachment.”
Microsoft suggested that organizations could remove Edge from the PDF reader default type association as a temporary workaround.
“It hasn’t been publicly disclosed, although with the prevalence of PDF format, it’s a safe bet that this going to live in the attacker’s toolkits for years to come,” said Jon Rudolph, principal software engineer at Core Security.
The flaw, privately disclosed by Aleksandar Nikolic of Cisco Talos, is also listed in MS16-096, a separate critical update for Edge that addresses five remote code execution vulnerabilities and three information disclosure flaws. In addition to the PDF flaw, the remaining remote code execution bugs are memory corruption issues and a separate bug in the Chakra JavaScript engine.
Microsoft also published its customary monthly cumulative security update for Internet Explorer. MS16-095 patches remote code execution and information disclosure flaws in the browser, including most of the same CVEs patched in the Microsoft Edge bulletin.
Another bulletin rated critical, MS16-097, addresses three remote code execution vulnerabilities in the Microsoft Graphics Component found in Windows, Office, Skype for Business and Lync. The problem lies in the way the Windows font library handles specially crafted embedded fonts, Microsoft said.
The final critical bulletin, MS16-099, includes patches for four memory corruption issues that could lead to remote code execution in Office going back to Office 2007 and including Office 2016 for Windows and Mac. The bulletin also includes a patch for an information disclosure vulnerability in Microsoft OneNote, which Microsoft said, discloses memory contents, information that could be used to compromise a machine.
For the second month in a row, Microsoft released a security update for Secure Boot. Rated important, MS16-100 patches a security feature bypass bug that happens when Secure Boot improperly loads a vulnerable boot manager, Microsoft said.
“An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device,” Microsoft said in its advisory. “Furthermore, the attacker could bypass Secure Boot Integrity Validation for BitLocker and Device Encryption security features.”
The remaining bulletins are rated important by Microsoft:
- MS16-098: Patches four elevation of privilege vulnerabilities in Windows Kernel-Mode drivers. Attackers would need local access to exploit these vulnerabilities, but successful exploits could result in arbitrary code execution.
- MS16-101: Patches two elevation of privileges flaws in Windows authentication methods Kerberos and NetLogon. The Kerberos issue is related to improper handling of password change requests, while the NetLogon flaw is related to an improperly established secure communication channel to a domain controller.
- MS16-103: Patches an information disclosure vulnerability in Windows ActiveSyncProvider in Windows 10. The flaw lives in Universal Outlook, which can fail to establish a secure connection allowing attackers to steal usernames and passwords.