3 Recommended Solution 3.1 Security TipsĬurrently, Chrome has released no security patch to fix this vulnerability, but is scheduled to roll out a fix in April 2019.īefore April 2019 when the patch is available, users are advised to avoid using Chrome to open PDF files from external sources. This vulnerability exists in the PDF JavaScript API used by the Chrome browser, affecting all users that use Chrome to view PDF files. If combining this with the exploitation of the WinRAR code execution vulnerability disclosed on February 20, the attacker can, under a specific user name, craft a path to which the malicious file will be dropped and automatically executed, to cause more damage. From the full path of the PDF file, the attacker can learn the valid directory on the host. Full path of the PDF file on the user’s computerīy exploiting this vulnerability, an attacker can collect information at the initial stage of attack so as to find out the web file path, computer user name, host name, and so on, preparing himself or herself for a more targeted attack in the next step.Operating system version and Chrome version.Personal information that can be leaked includes the following: An attacker could cause a user’s Chrome browser to send his or her personal information to an attacker-designated location simply by adding a special API call in PDF. This vulnerability exists in the PDF JavaScript API used by Google Chrome. Up to now, a number of malicious samples have been found to exploit this vulnerability in the wild.
On February 28, 2019, a security vendor outside of China spotted a 0-day vulnerability in Google’s Chrome browser, which could lead to information disclosure upon a user’s opening of a malicious PDF file using Chrome.
0 kommentar(er)
