A tricky vulnerability patched today in the Windows PDF Library could have put Microsoft Edge users on Windows 10 systems at risk for remote code execution attacks.
Edge automatically renders PDF content when it’s set as a computer’s default browser, unlike most other browsers; the feature means that exploits would execute by simply viewing a PDF online. While this bug has not been publicly disclosed nor attacked, it’s expected to be an attractive attack vector for hackers.
Microsoft patched this flaw in MS16-102, one of four critical security bulletins it published today. The vulnerability, CVE-2106-3319, when exploited corrupts memory and allows an attacker to run arbitrary code with the same privileges as the user. Microsoft said attackers could either lure victims to a site containing a malicious PDF, or add an infected PDF to a site that accepts user-provided content.