Aleksandar Nikolic, a researcher at Cisco Talos, has discovered a vulnerability in PDFium, the default PDF reader in Google Chrome. The flaw is an arbitrary code execution one, and is outlined as CVE-2016-1681.
The vulnerability can be exploited when a PDF that includes an embedded jpeg2000 image activates an exploitable heap buffer overflow.
More about CVE-2016-1681
“An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted“, the researcher writes.
By simply viewing a PDF document that includes an embedded jpeg2000 image, the attacker can achieve arbitrary code execution on the victim’s system. The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising.
Luckily, Google has already fixed the flaw, and it was a small one indeed. In fact, Google was very quick – Talos reported the vulnerability on May 19th, and the fix was ready by May 25th. The correction includes a single line of code that altered an assert to an if.
If you’re a Chrome user, you should update your browser, and version 51.0.2704.63 is what you need so that the CVE is not exploitable. Nonetheless, Chrome is set to auto-update unless you have decided otherwise. In this case, you’ll need to update manually.