Yesterday, Microsoft released its monthly set of security bulletins and patches for various flaws within currently supported products. Two of the bulletins in yesterday's release are rated critical and address CVE-2016-3319, a arbitrary code execution vulnerability in Microsoft Edge and in the Windows PDF library. With Microsoft's bulletin release, Talos is disclosing the details of this vulnerability we identified through our research efforts on our Vulnerability Report portal.
CVE-2016-3319 (TALOS-2016-0170)CVE-2016-3319 is an arbitrary code execution vulnerability which manifests in Microsoft Edge and in the Windows PDF library. A user who opens a specifically crafted PDF file on a vulnerable system could result in the system executing arbitrary code of an attacker's choosing. On Windows 10 systems that are configured to use Microsoft Edge as the default browser, this vulnerability could be triggered by simply browsing to a website hosting a malicious PDF, as Edge will attempt to render the file contents automatically. Note that this vulnerability affects Windows 8.1, Windows Server 2012 (and R2), and Windows 10.
A workaround is available that can reduce the risk of compromise for Windows 10 based PCs where Edge is the default browser. Details of the workaround can be found in Microsoft bulletins MS16-096 and MS16-102.
The full vulnerability report can be found here:
Research efforts to identify zero-day vulnerabilities in software will remain an on-going effort by Talos. Our work in developing programmatic methods to identify zero-day vulnerabilities and making sure they are addressed in a responsible manner is critical to improving the overall security of the internet. Through our research, we can gain valuable insight into how we can improve our own development practices and to help fix software vulnerabilities that might otherwise be exploited by adversaries, such as in Edge and the Windows PDF library,
The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules: 25459-25460