This article is more than 1 year old
Chrome's PDF reader has arbitrary code execution flaw
Keep Chrome up to date, people, unless you want PDFs to get you asking WTF?
A Researcher at Cisco's Talos limb have discovered an arbitrary code execution flaw in PDFium, the PDF reader installed by default in Google's Chrome browser.
CVE-2016-1681, discovered by Talos' Aleksandar Nikolic, means that PDF that includes an embedded jpeg2000 image can trigger an exploitable heap buffer overflow.
The flaw looks like it is down to a tiny error by Chrome's developers, as Nikolic writes that “An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted.”
That omission means that when PDFium invokes the OpenJPEG library, it can create a buffer overflow. Once that's happened, bad guys can go to town with their own code.
Nikolic writes that Google has fixed the flaw, with a single line of code that changed an assert to an if.
You can take advantage of that change by simply keeping Chrome up to date: version 51.0.2704.63 makes the change to knock the bug on the head. Chrome auto-updates unless instructed to do otherwise, so most users will be protected.
Google acted with impressive speed after learning of the bug: Nikolic says Talos reported the flaw on May 19th and that Google fixed it on May 25th. ®