Discovered and disclosed by security firm EdgeSpot, the vulnerability has already been spotted in the wild and exploited by hackers. To make matters worse, Google is unlikely to issue a fix until late April. It is worth noting the exploit is only active when a PDF is opened within Chrome itself. If a user chooses to open the file with a dedicated reach like Adobe Reader, no information is leaked. However, when the PDF is opened in the browser, the malicious content is triggered. Outbound traffic sends users to one of two malicious domains, readnotify.com and burpcollaborator.com. These sites take the exposed user information, which includes the device IP address, the operating system, and the Chrome version being used. Additionally, a path to local drivers through the PDF is sent. Interestingly, the dirty PDF files are able to bypass security software, whether that’s Google’s in-built protections or third-party anti-virus tools. However, EdgeSpot says some antivirus products do flag the PDF during a dedicated scan.
Prevention
At the moment, the best advice for Chrome users is to avoid opening PDFs in the browser, especially if you are not sure of the content. That’s because Google will not be issuing a fix anytime soon. The vulnerability was reported to the company on December 26, but Google says no fix will be issued until a late-April update. “We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away,” the researchers at EdgeSpot add. Google will roll out Chrome 74 on April 23, the next iteration of the browser that will shore up against this attack.