Browsers Security

Microsoft Edge’s PDF Exploit: What You Need to Know

Dan Price 15-03-2016

At the same time as Microsoft introduced Windows 10 Make Today Your Launch Day: Get Windows 10 Now! You're eager to install Windows 10. Unfortunately, you missed the Insider Preview and now it's taking a while until the upgrade will be rolled out to you. Here's how to get Windows 10 now! Read More , it also launched a new browser – Microsoft Edge. After all the security and privacy issues around Internet Explorer, this was supposed to be a fresh start, a clean slate.


Edge has certainly introduced some awesome new features 10 Reasons You Should Be Using Microsoft Edge Now Microsoft Edge marks a complete break from the Internet Explorer brand name, killing off a 20-year-old family tree in the process. Here's why you should be using it. Read More . The annotatable web pages, the reading list, and the sleek design all mark great leaps forward when compared with its predecessor.

Alas, the new browser has also introduced new problems. The latest issue to receive media attention is its PDF exploit.

But what is it? Are you safe? And is Edge unique with these types of issues? Let’s investigate.

What Is It?

The exploit revolves around the Windows Runtime PDF Renderer library (WinRT PDF). The main purpose of the software is to allow developers to easily integrate a PDF viewing feature inside their programs.

That means it is present in a lot of Windows Apps (apps downloaded from the Windows Store) and baked-in Windows 10 software How to Disable the Microsoft Edge Browser in Windows 10 Windows 10's Edge browser can't be removed or uninstalled. However, there's a tool you can use to disable it so it never launches ever again. Read More . Everything from OneNote to third-party PDF readers make use of it. Edge uses it as its default PDF reader, so PDFs embedded within a web page will automatically be opened in the library.



IBM researcher Mark Vincent Yason originally discovered the flaw. He found out that WinRT PDF can be used in drive-by attacks by putting malicious code in a hidden frame in a PDF document. It is very similar to how Java and Flash were exploited This Is How They Hack You: The Murky World of Exploit Kits Scammers can use software suites to exploit vulnerabilities and create malware. But what are these exploit kits? Where do they come from? And how can they be stopped? Read More in the past.

How Does It Work?

The problems arise as a result of Edge’s use of WinRT PDF.

Theoretically, a hacker could contain a WinRT PDF exploit within a PDF file, which could be secretly opened using an iframe positioned off-screen by CSS. All would-be attackers need to do is find and create a database of WinRT vulnerabilities which can be leveraged to distribute their malware.


The WinRT PDF exploit would ultimately be performed in the same way that exploit kits like Angler or Neutrino take advantage of Flash, Java, and Silverlight vulnerabilities.

Once the exploit has been executed, your computer will be exposed to all sorts of security threats; personal data becomes easy to steal The 3 People Most Likely to Hack Your Data & Privacy Who are the people most likely to breach your privacy and tamper with your data? Read More , and viruses and malware can be injected onto your machine at the whim of the hacker.

Are There Safeguards and Are You at Risk?

Despite the dire warnings, you are probably not at risk – yet. At the time of writing, no WinRT PDF exploits have been found in the wild.

“WinRT PDF opens up an additional attack surface that can be leveraged to attack the Edge browser. But for now, exploiting WinRT PDF via Edge is expensive because of the combined exploit mitigations in place. Interest in WinRT PDF and the development of new exploitation techniques will determine when an Edge drive-by exploit leveraging a WinRT PDF vulnerability will be seen in the wild.” — Mark Vincent Yason

Windows 10 uses former “Enhanced Mitigation Experience Toolkit” (EMET) features such as “Address Space Layout Randomization” (ASLR) protection and Control Flow Guard.


These tools help to prevent vulnerabilities in software from being exploited. They do this by introducing special protections and obstacles that a hacker must overcome if they are to gain access to the security flaws.

These protections make exploiting the WinRT PDF reader vulnerability a time-consuming and costly affair, and is probably why we are yet to see one of these exploits in the wild.

In short – don’t panic, but be vigilant.

What About Other Browsers?

Could simply avoiding Edge keep you safe? Well, yes and no.


Firefox’s internal PDF reader is widely considered to be the most secure; it is written entirely in JavaScript and makes use of APIs and functionality that are already used elsewhere online. The result is using Firefox to open PDFs isn’t any less secure than regular day-to-day Internet browsing.

But even that hasn’t made Firefox 100 percent secure. In August 2015, an exploit was discovered Update Firefox Now! Or a Security Flaw Can Steal Your Local Files You need to fire up Firefox and download the latest version right now. Mozilla has issued a critical update that fixes a major security flaw, which could let hackers steal files from your hard drive. Read More on a Russian news site which searched for sensitive files on a local machine and uploaded them to a server in Ukraine. In worked by injecting a JavaScript payload into the local file context.

Firefox naturally responded with security patches immediately – but the story proves that no browser will ever be entirely safe from any given threat.

Chrome is less secure. Like Edge, the PDF reader is implemented as a binary model. It is then sandboxed away from other parts of the operating system – but that sandboxing remains the main line of defense.

Should We Give Edge Some Leeway?

In all of this, it is important to remember that Edge is still less than a year old Microsoft Gets the Edge, 1 Billion Devices Running Windows 10, & More... [Tech News Digest] Microsoft has the Edge, Windows 10 is huge, Secret gets shut, embed MS-DOS games in tweets, make money from Silent Hills, and watch Michael Bay get shown up by an amateur filmmaker. Read More . There are lots of promising signs for the future, but at present it is an unfinished product.

Let’s not be too hard on Edge. Was Chrome perfect upon its initial release back in 2008? How about Firefox in 2002?

When Chrome first became available there was no support for mouse wheels or bookmarks. It wasn’t until version four (two years after its initial release) that we saw the introduction of extensions. It also took two years to pass the Acid3 test — a way of testing a browser’s compliance with web standards such as the Document Object Model (DOM) and JavaScript. Firefox still can’t pass it.

Edge would have been crucified if it didn’t support bookmarks or mouse wheel scrolling upon general release.

A Work in Progress…

Modern computing apps are never truly “finished”. They are works in progress that are on a constant cycle of updates and improvements.

Edge is only nine months into its life. While anti-Edge / anti-Microsoft people will surely use this exploit as another stick with which to bash the browser, the truth remains that in many respects it is looking very promising.

If extensions come to fruition later this year as expected, it will be able to compete with the best in the business.

What’s your opinion of Edge and the exploit news? Are you someone who thinks Edge is doomed to failure, or could we see it become the market leader in the future? Let us know in the comments.

Related topics: Computer Security, Microsoft Edge, PDF.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Ronny Bryant
    March 15, 2016 at 4:08 pm

    I think this ENTIRE article is bull$hit!!!

    You are preaching fear at the outset - why??? Probably to get people (like me) to read your whack a$$ article. Or maybe to create further confusion amongst consumers.

    Your article did NOT need to start out the way it did. You end up saying "don’t panic", but the very nature of your article IS one of panic?!?

    Why can't you tech journalists be REAL for a change? Tell the truth without the trickery?

    Oh, yeah, because you're NOT actually journalist (is probably one of the reasons for this behavior).