At the same time as Microsoft introduced Windows 10, it also launched a new browser – Microsoft Edge. After all the security and privacy issues around Internet Explorer, this was supposed to be a fresh start, a clean slate.
Edge has certainly introduced some awesome new features. The annotatable web pages, the reading list, and the sleek design all mark great leaps forward when compared with its predecessor.
Alas, the new browser has also introduced new problems. The latest issue to receive media attention is its PDF exploit.
But what is it? Are you safe? And is Edge unique with these types of issues? Let’s investigate.
What Is It?
The exploit revolves around the Windows Runtime PDF Renderer library (WinRT PDF). The main purpose of the software is to allow developers to easily integrate a PDF viewing feature inside their programs.
That means it is present in a lot of Windows Apps (apps downloaded from the Windows Store) and baked-in Windows 10 software. Everything from OneNote to third-party PDF readers make use of it. Edge uses it as its default PDF reader, so PDFs embedded within a web page will automatically be opened in the library.
IBM researcher Mark Vincent Yason originally discovered the flaw. He found out that WinRT PDF can be used in drive-by attacks by putting malicious code in a hidden frame in a PDF document. It is very similar to how Java and Flash were exploited in the past.
How Does It Work?
The problems arise as a result of Edge’s use of WinRT PDF.
Theoretically, a hacker could contain a WinRT PDF exploit within a PDF file, which could be secretly opened using an iframe positioned off-screen by CSS. All would-be attackers need to do is find and create a database of WinRT vulnerabilities which can be leveraged to distribute their malware.
The WinRT PDF exploit would ultimately be performed in the same way that exploit kits like Angler or Neutrino take advantage of Flash, Java, and Silverlight vulnerabilities.
Once the exploit has been executed, your computer will be exposed to all sorts of security threats; personal data becomes easy to steal, and viruses and malware can be injected onto your machine at the whim of the hacker.
Are There Safeguards and Are You at Risk?
Despite the dire warnings, you are probably not at risk – yet. At the time of writing, no WinRT PDF exploits have been found in the wild.
“WinRT PDF opens up an additional attack surface that can be leveraged to attack the Edge browser. But for now, exploiting WinRT PDF via Edge is expensive because of the combined exploit mitigations in place. Interest in WinRT PDF and the development of new exploitation techniques will determine when an Edge drive-by exploit leveraging a WinRT PDF vulnerability will be seen in the wild.” — Mark Vincent Yason
Windows 10 uses former “Enhanced Mitigation Experience Toolkit” (EMET) features such as “Address Space Layout Randomization” (ASLR) protection and Control Flow Guard.
These tools help to prevent vulnerabilities in software from being exploited. They do this by introducing special protections and obstacles that a hacker must overcome if they are to gain access to the security flaws.
These protections make exploiting the WinRT PDF reader vulnerability a time-consuming and costly affair, and is probably why we are yet to see one of these exploits in the wild.
In short – don’t panic, but be vigilant.
What About Other Browsers?
Could simply avoiding Edge keep you safe? Well, yes and no.
Firefox naturally responded with security patches immediately – but the story proves that no browser will ever be entirely safe from any given threat.
Chrome is less secure. Like Edge, the PDF reader is implemented as a binary model. It is then sandboxed away from other parts of the operating system – but that sandboxing remains the main line of defense.
Should We Give Edge Some Leeway?
In all of this, it is important to remember that Edge is still less than a year old. There are lots of promising signs for the future, but at present it is an unfinished product.
Let’s not be too hard on Edge. Was Chrome perfect upon its initial release back in 2008? How about Firefox in 2002?
Edge would have been crucified if it didn’t support bookmarks or mouse wheel scrolling upon general release.
A Work in Progress…
Modern computing apps are never truly “finished”. They are works in progress that are on a constant cycle of updates and improvements.
Edge is only nine months into its life. While anti-Edge / anti-Microsoft people will surely use this exploit as another stick with which to bash the browser, the truth remains that in many respects it is looking very promising.
If extensions come to fruition later this year as expected, it will be able to compete with the best in the business.
What’s your opinion of Edge and the exploit news? Are you someone who thinks Edge is doomed to failure, or could we see it become the market leader in the future? Let us know in the comments.