A security firm said this week that it discovered malicious PDF documents exploiting a Google Chrome browser zero-day. The vulnerability allowed attackers to collect data from users who opened PDF files inside Chrome’s built-in PDF viewer.
Exploit detection service EdgeSpot, the company that found these malicious files, says the PDF documents would contact a remote domain with information on the users’ device –such as IP address, OS version, Chrome version, and the path of the PDF file on the user’s computer.
This phone-home behavior did not take place when researchers opened the same PDF files in desktop PDF viewer apps, such as Adobe Reader and others, but was limited to Chrome only.
The company said it spotted two distinct sets of malicious PDF files exploiting this Chrome zero-day, with one series of files being spread around in October 2017, and the second set in September 2018.
The first batch of malicious PDF files sent user data back to the “readnotify.com” domain, while the second sent it to “zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net.”
There was no additional malicious code in the PDF files that EdgeSpot discovered. However, collecting data on users who open a PDF file can aid attackers in fine-tuning future attacks and exploits.
Researchers said they notified Google over the Christmas holiday, last year, when they first discovered the documents. The Chrome team acknowledged the zero-day and promised a fix for late April.
“We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away,” researchers said in a blog post yesterday.
The blog post also contains samples and indicators of compromise (IOCs) for the malicious PDF files the company discovered.
Until a patch is out, EdgeSpot is recommending that users either use a desktop app to view PDF files or disable their internet connection while they open PDF documents in Chrome.
In unrelated research, but also connected to the world of PDF documents, earlier this week, security researchers revealed vulnerabilities that allowed them to fake signatures on 21 of 22 desktop PDF viewer apps and 5 out of 7 online PDF digital signing services.
More browser coverage:
- Google backtracks on Chrome modifications that would have crippled ad blockers
- A third of all Chrome extensions request access to user data on any site
- Microsoft Edge lets Facebook run Flash code behind users’ backs
- Surveillance firm asks Mozilla to be included in Firefox’s certificate whitelist
- New browser attack lets hackers run bad code even after users leave a web page
- Google working on new Chrome security feature to ‘obliterate DOM XSS’
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Ad-blocking Brave gets memory advantage over Chrome on news websites CNET
Source Article from https://www.zdnet.com/article/google-chrome-zero-day-used-in-the-wild-to-collect-user-data-via-pdf-files/#ftag=RSSbaffb68
Google Chrome zero-day used in the wild to collect user data via PDF files
Latest blogs for ZDNet
Latest blogs for ZDNet