Microsoft Edge’s PDF Exploit: What You Need to Know

Ads by Google

At the same time as Microsoft introduced Windows 10, it also launched a new browser – Microsoft Edge. After all the security and privacy issues around Internet Explorer, this was supposed to be a fresh start, a clean slate.

Edge has certainly introduced some awesome new features. The annotatable web pages, the reading list, and the sleek design all mark great leaps forward when compared with its predecessor.

Alas, the new browser has also introduced new problems. The latest issue to receive media attention is its PDF exploit.

But what is it? Are you safe? And is Edge unique with these types of issues? Let’s investigate.

What Is It?

The exploit revolves around the Windows Runtime PDF Renderer library (WinRT PDF). The main purpose of the software is to allow developers to easily integrate a PDF viewing feature inside their programs.

That means it is present in a lot of Windows Apps (apps downloaded from the Windows Store) and baked-in Windows 10 software. Everything from OneNote to third-party PDF readers make use of it. Edge uses it as its default PDF reader, so PDFs embedded within a web page will automatically be opened in the library.

Ads by Google


IBM researcher Mark Vincent Yason originally discovered the flaw. He found out that WinRT PDF can be used in drive-by attacks by putting malicious code in a hidden frame in a PDF document. It is very similar to how Java and Flash were exploited in the past.

How Does It Work?

The problems arise as a result of Edge’s use of WinRT PDF.

Theoretically, a hacker could contain a WinRT PDF exploit within a PDF file, which could be secretly opened using an iframe positioned off-screen by CSS. All would-be attackers need to do is find and create a database of WinRT vulnerabilities which can be leveraged to distribute their malware.

The WinRT PDF exploit would ultimately be performed in the same way that exploit kits like Angler or Neutrino take advantage of Flash, Java, and Silverlight vulnerabilities.

Once the exploit has been executed, your computer will be exposed to all sorts of security threats; personal data becomes easy to steal, and viruses and malware can be injected onto your machine at the whim of the hacker.

Are There Safeguards and Are You at Risk?

Despite the dire warnings, you are probably not at risk – yet. At the time of writing, no WinRT PDF exploits have been found in the wild.

“WinRT PDF opens up an additional attack surface that can be leveraged to attack the Edge browser. But for now, exploiting WinRT PDF via Edge is expensive because of the combined exploit mitigations in place. Interest in WinRT PDF and the development of new exploitation techniques will determine when an Edge drive-by exploit leveraging a WinRT PDF vulnerability will be seen in the wild.” — Mark Vincent Yason

Windows 10 uses former “Enhanced Mitigation Experience Toolkit” (EMET) features such as “Address Space Layout Randomization” (ASLR) protection and Control Flow Guard.

These tools help to prevent vulnerabilities in software from being exploited. They do this by introducing special protections and obstacles that a hacker must overcome if they are to gain access to the security flaws.

These protections make exploiting the WinRT PDF reader vulnerability a time-consuming and costly affair, and is probably why we are yet to see one of these exploits in the wild.

In short – don’t panic, but be vigilant.

What About Other Browsers?

Could simply avoiding Edge keep you safe? Well, yes and no.

Firefox’s internal PDF reader is widely considered to be the most secure; it is written entirely in JavaScript and makes use of APIs and functionality that are already used elsewhere online. The result is using Firefox to open PDFs isn’t any less secure than regular day-to-day Internet browsing.

But even that hasn’t made Firefox 100 percent secure. In August 2015, an exploit was discovered on a Russian news site which searched for sensitive files on a local machine and uploaded them to a server in Ukraine. In worked by injecting a JavaScript payload into the local file context.

Firefox naturally responded with security patches immediately – but the story proves that no browser will ever be entirely safe from any given threat.

Chrome is less secure. Like Edge, the PDF reader is implemented as a binary model. It is then sandboxed away from other parts of the operating system – but that sandboxing remains the main line of defense.

Should We Give Edge Some Leeway?

In all of this, it is important to remember that Edge is still less than a year old. There are lots of promising signs for the future, but at present it is an unfinished product.

Let’s not be too hard on Edge. Was Chrome perfect upon its initial release back in 2008? How about Firefox in 2002?

When Chrome first became available there was no support for mouse wheels or bookmarks. It wasn’t until version four (two years after its initial release) that we saw the introduction of extensions. It also took two years to pass the Acid3 test — a way of testing a browser’s compliance with web standards such as the Document Object Model (DOM) and JavaScript. Firefox still can’t pass it.

Edge would have been crucified if it didn’t support bookmarks or mouse wheel scrolling upon general release.

A Work in Progress…

Modern computing apps are never truly “finished”. They are works in progress that are on a constant cycle of updates and improvements.

Edge is only nine months into its life. While anti-Edge / anti-Microsoft people will surely use this exploit as another stick with which to bash the browser, the truth remains that in many respects it is looking very promising.

If extensions come to fruition later this year as expected, it will be able to compete with the best in the business.

What’s your opinion of Edge and the exploit news? Are you someone who thinks Edge is doomed to failure, or could we see it become the market leader in the future? Let us know in the comments.

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Awesome Internet (and Tips)
Awesome Internet (and Tips)
1420 Members
Stay Invisible Online
Stay Invisible Online
1035 Members
Web Security & Privacy
Web Security & Privacy
510 Members
Affiliate Disclamer

This article may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
New comment

Please login to avoid entering captcha

Log In