Critical Attack Flaw Found In Google Chrome

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

An easy-to-exploit bug in Chrome’s default PDF reader could allow attackers to take over a system

Computer security researchers have discovered a bug in a component used in Google’s Chrome browser that they say could allow attackers to easily take over a vulnerable system.

The bug could be exploited by tricking a users running a vulnerable version of Chrome into viewing a malicious PDF file, according to researchers at Talos, a division of Cisco.


PDF risk

Chrome last month passed Internet Explorer as the most widely used browser worldwide.

“By simply viewing a PDF document that includes an embedded jpeg2000 image, the attacker can achieve arbitrary code execution on the victim’s system,” they wrote in an advisory.

The attack is made possible by a bug in PDFium, the default PDF reader in Chrome, they said. The vulnerability was found in the reader’s jpeg2000 parsing library, called OpenJPEG, but is only exploitable in Chrome due to particularities in the way the browser is built, they said.

Talos’ researchers said they tested the bug and found that it was “fairly easy” to exploit.

‘Easy’ attack

“The only difference between a valid jpeg2000 file and the one that triggers this vulnerability is the fact that SIZ marker specifies 0 components,” they wrote. “The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising. Users frequently browse PDF files when surfing the web.”

Talos said it reported the bug to Google last month and a fix was included with Chrome’s 51.0.2704.63 release on May 25. The firm urged users to ensure their browser is up to date, warning that even though the browser updates automatically, users must restart to enable the latest version.

Like other software makers, Google offers a bug bounty for Chrome, doubling it to $100,000 (£70,500) earlier this year.

Google said last month it plans to disable Adobe’s Flash in the browser by default this autumn in order to head off frequent security risks introduced by the component.

Are you a security pro? Try our quiz!