Aleksandar Nikolic, ein Forscher an Cisco Talos, has discovered a Verwundbarkeit in PDFium, die Standard-PDF-Reader in Google Chrome. Der Fehler ist eine beliebige Codeausführung einer, und skizziert als CVE-2016-1681.
The vulnerability can be exploited when a PDF that includes an embedded jpeg2000 image activates an exploitable heap buffer overflow.
More about CVE-2016-1681
“An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted“, der Forscher schreibt.
By simply viewing a PDF document that includes an embedded jpeg2000 image, the attacker can achieve arbitrary code execution on the victim’s system. The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising.
Glücklicherweise, Google has already fixed the flaw, and it was a small one indeed. Tatsächlich, Google was very quick – Talos reported the vulnerability on May 19th, and the fix was ready by May 25th. The correction includes a single line of code that altered an assert to an if.
If you’re a Chrome user, you should update your browser, and version 51.0.2704.63 is what you need so that the CVE is not exploitable. Dennoch, Chrome is set to auto-update unless you have decided otherwise. In diesem Fall, you’ll need to update manually.