The Windows Runtime (WinRT) PDF Renderer library is one of the important components built into the recent releases of Windows OS allowing developers to integrate PDF reading functionality in their own apps. It’s used by many apps including the default PDF Reader, third-party apps and even the Microsoft Edge Browser.
According to Mark Vincent Yason, security researcher with IBM’s X-Force Advanced Research team, WinRT PDF is vulnerable to drive-by attacks just like attackers used Flash or Java in the past.
Because Microsoft Edge uses WinRT PDF as its default reader, any PDF embedded in the web page will be opened within the library. This makes room for the attackers to exploit the vulnerability via a PDF file. They can open a PDF secretly off-screen with help of CSS and execute the malicious code. It’s similar to exploit kits like Angler or Neutrino deliver Flash, Java, or Silverlight payloads.
Attackers just need to find and create a database of WinRT vulnerabilities they could leverage for distributing their malware.
Mr. Yason expains “A major factor that will affect when and how often we see in-the-wild exploits for WinRT PDF vulnerabilities depends on how difficult it is to exploit them”.
He also adds that since Windows 10 implements former EMET features such as ASLR protection and Control Flow Guard, exploiting the WinRT PDF reader vulnerability is time-consuming and costly for attackers.
A more in-depth analysis for this attack will be presented in this year’s RSA security conference in San Francisco by Mr. Yason