WinRT PDF found to be a possible vulnerability in Edge for Windows 10
With the introduction of Windows 10, Microsoft said goodbye to Internet Explorer, the aging Netscape killer, and hello to Edge. While the company has been increasingly vigilant about security and the nightmares of IE 6 have slowly faded away, with a new browser comes with the potential for new problems.
Security researcher Mark Yason of IBM thinks he may have found a potential path to attack. Yason plans to demonstrate the flaw at the upcoming RSA USA 2016 conference.
The vector for attack stems from EdgeHTML which utilizes WinRT PDF for these file types, something that saves customers from using a third-party program such as those from Adobe, Nitro and FoxIt.
Windows Runtime (WinRT) has been around since the introduction of Windows 8.1. It aimed to aid developers with the incorporation of PDF files into their apps.
Yason points out that "WinRT libraries such as WinRT PDF have well-documented APIs that applications can use. In the case of WinRT PDF, theWindows.Data.Pdf namespace provides the necessary classes that would allow applications to render PDFs into image files. Interestingly, in addition to using the documented WinRT PDF APIs, EdgeHTML uses additional, nondocumented WinRT PDF APIs that enable features such as PDF text searching and selection".
Thanks to Windows 10, the WinRT PDF has become prominent due to its full integration with the Edge browser. However, it also allows for direct accessibility by hackers to instigate drive-by attacks.
This is enabled by default in Edge and there is no opt-out as of now. Yason concludes "WinRT PDF opens up an additional attack surface that can be leveraged to attack the Edge browser. But for now, exploiting WinRT PDF via Edge is expensive because of the combined exploit mitigations in place. Interest in WinRT PDF and the development of new exploitation techniques will determine when an Edge drive-by exploit leveraging a WinRT PDF vulnerability will be seen in the wild".