Computer security researchers have discovered a bug in a component used in Google’s Chrome browser that they say could allow attackers to easily take over a vulnerable system.
The bug could be exploited by tricking a users running a vulnerable version of Chrome into viewing a malicious PDF file, according to researchers at Talos, a division of Cisco.
Chrome last month passed Internet Explorer as the most widely used browser worldwide.
“By simply viewing a PDF document that includes an embedded jpeg2000 image, the attacker can achieve arbitrary code execution on the victim’s system,” they wrote in an advisory.
The attack is made possible by a bug in PDFium, the default PDF reader in Chrome, they said. The vulnerability was found in the reader’s jpeg2000 parsing library, called OpenJPEG, but is only exploitable in Chrome due to particularities in the way the browser is built, they said.
Talos’ researchers said they tested the bug and found that it was “fairly easy” to exploit.
“The only difference between a valid jpeg2000 file and the one that triggers this vulnerability is the fact that SIZ marker specifies 0 components,” they wrote. “The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising. Users frequently browse PDF files when surfing the web.”
Talos said it reported the bug to Google last month and a fix was included with Chrome’s 51.0.2704.63 release on May 25. The firm urged users to ensure their browser is up to date, warning that even though the browser updates automatically, users must restart to enable the latest version.
Like other software makers, Google offers a bug bounty for Chrome, doubling it to $100,000 (£70,500) earlier this year.
Google said last month it plans to disable Adobe’s Flash in the browser by default this autumn in order to head off frequent security risks introduced by the component.
Are you a security pro? Try our quiz!
Dozens of Chinese firms added to US export blacklist, in order to hamper Beijing's AI…
Chinese rival BYD overtakes global revenues of Elon Musk's Tesla, as record number of Tesla…
Messaging app Signal in the headlines after a journalist was invited to a top secret…
OpenAI chief operating officer Brad Lightcap to oversee international expansion as company consolidates lead in…
Chinese researchers publish details on device that could wreak havoc on undersea communications cables in…
Former Intel chief Gelsinger expands role at Gloo, becoming executive chairman and head of technology…
![](data:image/svg+xml;charset=utf-8,<svg height="245px" width="341px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
