Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Microsoft Security Windows Communications Network Networking Operating Systems The Internet

Annoying 'Open PDF In Edge' Default Option Puts Windows 10 Users At Risk (softpedia.com) 118

An anonymous reader writes from a report via Softpedia: Microsoft fixed today a serious security flaw in the Windows PDF Library, a standard library used by Windows 10 to open and render PDF files, embedded by default in Edge. Exploiting this flaw allows attackers to execute code on the user's machine and take over the device, just by tricking a user into accessing a PDF hosted online via Edge. Since Edge is not only the default browser in Windows 10, but also the default PDF reader, this flaw puts countless of users that have not changed those settings at risk. Even worse, Microsoft has the annoying habit of resetting your personal app preferences once in a blue moon, always reverting Edge as the default browser and the default app to open PDF files.
This discussion has been archived. No new comments can be posted.

Annoying 'Open PDF In Edge' Default Option Puts Windows 10 Users At Risk

Comments Filter:
  • by pf100 ( 1841922 ) on Tuesday August 09, 2016 @08:43PM (#52675381)
    I don't want to use Edge and I want my settings to stick. Why are they obviously purposefully reverting my settings? I go out of my way to change a normal default setting and MS switches it back. Many times this has happened. There's no excuse for this horseshit.
    • by Anonymous Coward on Tuesday August 09, 2016 @08:51PM (#52675413)

      Because fuck you, that's why. - S. Nadella

    • by Anonymous Coward on Tuesday August 09, 2016 @09:47PM (#52675623)

      Easy: it's ALL about money. What you want or need is *completely* irrelevant. Every update, they'll revert the privacy settings to spy on you more, they'll reinstall the metro/whatever apps you uninstalled because you WILL use the appy apps! Then they reset the defaults to those appy apps. All that, because they'll make 30% cut of the appy app sales. Now, be a good consumer and keep using Windows 10! It's been going in that direction steadily for 5 years (since Windows 8) and it'll keep getting worse. MS no longer cares to even pretend they care about what people want or need. Users are there for the milking and that is all.

      • When I'm buying old Win98/2000 books and am finding they mostly do a good enough job of teaching you how to make programs that are just as good if not better than the programs made using the most up-to-date libraries then something's very wrong.
      • by dremon ( 735466 )
        > MS no longer cares to even pretend they care about what people want or need. Users are there for the milking and that is all.

        How is that different from any profit organization?
    • Re: (Score:3, Funny)

      It could be worse, they could flag your preferred program as incompatible and helpfully uninstall it for you.

      • by Alumoi ( 1321661 )

        Damn it man, don't give them ideas.

        • He isn't. Microsoft already has papers written up with that idea in mind.
          • They already did it with the Windows 10 Anniversary update, which helpfully uninstalls Classic Shell so they pump ads at through that abomination of visual vomit that replaced the Start Menu.

    • Why are they obviously purposefully reverting my settings?

      Think of it as early onset of dementia. Microsoft is just becoming a bit forgetful, and left its dentures in the refrigerator again.

    • by Anonymous Coward

      rename the edge executable and watch it fail instead of loading. You have to kill the persistent edge process and open a cmd prompt as administrator to do the deed.

      It's entirely ridiculous that I had to go to such lengths, but it worked.

    • Microsoft wants you to use Edge and wants their settings to stick. Why are you obviously purposefully reverting their settings? They go out of their way to create a normal default setting and you switch it back. Many times this has happened. There's no excuse for this horseshit.

      FTFY.

    • I'm definitely sticking to Windows 7 then.
    • I've had absolutely zero trouble with settings sticking or Edge being magically reset to the default browser. Installed FF and Foxit on day one and have never had that change.
      • Did you disable Windows Update? I've seen Edge reset to default under two conditions:

        1. If there's a problem with my default settings, for example when I upgraded Firefox to the 64 bit version and uninstalled the 32 bit version because the two interfered. Not only would it not let me set Firefox as the default any more using the Windows 10 interface (the old Windows 7 defaults window, which is still available but hidden, worked) but it reset everything to Edge until I found the latter workaround.

        2. Whe

        • I have not disabled Windows Update and I have installed the Anniversary Update without any change.

          Now, setting new defaults through the Windows 10 interface is difficult, and, yes, you must use the Windows 7 interface to do so. That is pretty shitty. I went through it the other day to change defaults and noticed you couldn't pick an executable, only from their preset list of apps through the Windows 10 setup control.
    • by Alumoi ( 1321661 )

      Nanny knows best!

    • Because Facebook conditioned people to expect settings to reset randomly. So why wouldn't companies take advantage of that?

    • by e r ( 2847683 )
      If you're not using Linux or a similarly rights-respecting OS then you're literally one of the reasons this is happening.

      Fools stay in an abusive relationship and complain about it.
  • by FrankHaynes ( 467244 ) on Tuesday August 09, 2016 @08:46PM (#52675395)

    At risk of opening a PDF? Why not automatically open the PDF in protected mode? Surely Edge is advanced enough not to open a PDF with full access permissions to running macros and such?? I mean, Edge can even do WebRTC so at long last Microsoft is catching up to the rest of the world. Surely security considerations can't be far behind. Right? GUYS??

    • Re:At risk of what?? (Score:4, Informative)

      by omnichad ( 1198475 ) on Tuesday August 09, 2016 @09:14PM (#52675513) Homepage

      Joke or not, this is not due to functionality in PDF files macros, but a memory corruption issue leading to code execution. The exact same type of thing that happens with most Adobe Reader vulnerabilities. The only difference is the choice in vendor for your bugs.

      • And yes. Reader has a sandbox, but that's only an extra layer - not foolproof.

        • What I wonder is why edge hasn't. I mean common, its initial release was in an age where chrome was the most popular browser, and chrome does run its pdf reader in a sandbox (afaik).

          • Chrome runs it's PDF plugin in a separate process in a sandbox via PPAPI
            You could disable it an run PDF.js if you wanted to, which only uses standard HTML5 to render the PDF.

      • by MobyDisk ( 75490 )

        What did Microsoft coed their PDF viewer in? Microsoft touts how managed code runs almost as fast as native and is perfectly safe. So why didn't they write their PDF code in it?

    • Re: (Score:2, Insightful)

      Edge is a steaming pile of shit. It has to be the worst browser by a major software developer in 20 years.

    • Actually, Microsoft has just patented a new solution. It's called MS CP. Know by it's long name: Microsoft Cellulose Pulp. This new product is impervious to all known attack vectors and requires no battery power to operate. This new technology will be available in the Second Anniversary Update, due out after the 18 month divorce update is released.

      On a side note, Amazon, maker of the Kindle Paper White, is suing MS for creating a product similar in name.

      Lawyers from Oracle have filed 1435 various lawsuits,

  • by Archfeld ( 6757 ) <treboreel@live.com> on Tuesday August 09, 2016 @08:50PM (#52675411) Journal

    I use Ubuntu and Windows10 for differing tasks, but I really dislike Edge, and I have since the beginning been using IE11 on Win10. Not that I am disputing it happens but I've not had my defaults reset from what I chose when I 'upgraded' my laptop from Win7 to Win10. In favor of Win10 both the sleep and hibernate function work well now, whereas under Win7 they froze or locked up quite frequently.

  • by QuietLagoon ( 813062 ) on Tuesday August 09, 2016 @09:16PM (#52675523)

    ...Since Edge is not only the default browser in Windows 10, but also the default PDF reader...

    This is so wrong on so many levels.

    .
    But fundamentally, why, oh, why, is the browser being promoted to being a viewer of non-HTML documents?

    Convenience over security still seems to be the rule at Microsoft.

    Has Microsoft learned nothing in the past two decades?

    And Windows 10 was supposed to be the paradigm of security for Windows....

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I'll mention that Chrome I think was the first of the browsers to start the native PDF rendering without a plugin. In this case Microsoft is following Google's lead.

      Personally I haven't had my Windows 10 settings revert away from my alternate PDF reader that I set as the default viewer but with the we'll say 'quirks' of Windows 10 I'm not at all surprised if that has happened to people.

      • by Anonymous Coward

        Huh? Chrome PDF Viewer still is a plugin to this day. chrome://plugins/

      • I'll mention that Chrome I think was the first of the browsers to start the native PDF rendering without a plugin. In this case Microsoft is following Google's lead.

        No. That would likely be OS X/macOS Safari.

        But that isn't surprising, since the OS has had system-wide native PDF read/write support since day one.

    • by Luthair ( 847766 )
      With sandboxing Chrome has proven to be significantly safer than any of the other PDF readers.
      • by roca ( 43122 )

        Other than pdf.js.

    • Ignoring that Firefox and Chrome were doing it first?

      • by roca ( 43122 )

        Chrome and Firefox open PDFs that you browse to in those browsers with their PDF readers, not any PDF you get via email or whatever. So that's less attack surface.

        Furthermore, Firefox uses pdf.js which is basically a Web app, so there's almost no additional attack surface over just visiting a Web page ... which you were already using Firefox to do.

    • by roca ( 43122 )

      The reason is pretty obvious, and it's not convenience. Microsoft needs to increase Edge usage however they can, and this is one way.

    • But fundamentally, why, oh, why, is the browser being promoted to being a viewer of non-HTML documents?

      For the best of reasons, convenience and user experience. OK, so in this particular case so Microsoft makes more money. But generally users want to view content as quickly and conveniently as possible, and displaying it within the browser while browsing makes a lot of sense. I wouldn't mind being able to view documents and spreadsheets in-browser either. If they do it right.

      On that note, I hope there's a particularly nasty place in hell for whoever decided to make Firefox's default pdf viewer so it only loa

    • You might as well ask why the web browser was promoted to be being the file system browser also ;-) Seems like the browser is supposed to do all these days, even worse than back in the Win98 times. Its not even just Microsoft anymore, either [slashdot.org]. Yikes.
    • by WallyL ( 4154209 )

      Oh, it is: Windows 10 is making Microsoft feel very secure!

    • by dbIII ( 701233 )

      Has Microsoft learned nothing in the past two decades?

      Due to staff turnover they have not. Hence WinME, Vista, Win8 when they have a new batch of people and Win2K/XP and Win7 when that batch have gained some experience.

  • alternative (Score:2, Insightful)

    by bloodhawk ( 813939 )
    Yep I am sure it would be much safer people switching to the more preferred and common alternative of Adobe Reader. that never has vulnerabilities.
  • Case closed.

  • And we still can't make a robust computer. But then I have to remind myself that we rode horses and even had the wheel for over ten thousand years before we invented an automobile with fine Corinthian Leather. So, I guess I should be patient.

    • "So, I guess I should be patient."

      patient [pey-shuh nt] noun
      1.a person who is under medical care or treatment.
      2.a person or thing that undergoes some action.
      3.Archaic. a sufferer or victim.

      adjective
      4.bearing provocation, annoyance, misfortune, delay, hardship, pain, etc., with fortitude and calm and without complaint, anger, or the like.
      5.characterized by or expressing such a quality:
      a patient smile.
      6.quietly and steadily persevering or diligent, especially in detail or exactness:
      a patient worker.
      7.undergoi

    • by Anonymous Coward

      And we still can't make a robust computer.

      I know that I will be stating the obvious to most Slashdot readers here, but apparently the parent doesn't get it. Modern computers are complex. Taken as a whole, modern computers and the software that they run are among the most complex devices ever devised by man. Imagine a machine with millions of moving parts that's highly intolerant of errors and you'll have some idea. We put up with this complexity and its inherent problems because the benefits of computing far outweigh the costs in most cases.

      • Computers are complex, that is true. But firstly, quite a lot of this complexity is superfluous, the result of crappy engineering, feature creep and backwards compatibility to standards that should have been laid to rest decades ago. And secondly, yes, we are perfectly capable [wordpress.com] of building machines with several million parts of which a sizable portion moves which are highly intolerant of errors and still bringing down the defect rate to a manageable level. The IT world is the shanty town of the industrial se
        • The 747, which you use as an example, is considerably less complex than a large software system because it's got a lot more locality and simple redundancy. Half the parts are fasteners, and fasteners have a local effect. It's easy to put redundant fasteners nearby so that the failure of one will not cause additional problems. It's a lot harder to do similar things in software. The 747 first flew in 1969, doing pretty much what it does now, and there's been a lot of development over more than forty-five

  • So Microsoft still continues old ways of Swiss cheese out f box practise. No offence to real Swiss cheese, its actually very good cheese. Considering how massive amount of money Microsoft has and how they could hire best programmers, etc... Im surprised they still keep making same damn mistakes again and again. Almost like design practise is: Lets sell them broken product and then release fix to some issues later...
  • "Annoying 'Open PDF In Edge' Default Option Puts Windows 10 Users At Risk "

    Only for the few Windows 10 users who use Edge.

    You have two types of Windows 10 users... those who use Chrome, and those who still want to use IE.

    • Browsing brought to you by advertisers, or the big OS company? I'll skip those two options. Seems like a Clinton/Trump kind of choice to me.
  • What is the best PDF display choice for Windows 10?

    I'll admit to using Edge just out of sheer laziness on a fairly new Win 10 laptop just to avoid Acrobat Reader. From file explorer, I usually point them to Chrome.

    It seemed like for years Reader was a big security problem. The last time I looked at third party PDF display software, it was a maze of spyware and nagware with no obvious great replacement.

  • Force your shit OS down everyone's throat
    Claim the spying and pnwage of people's computer is 'for their own protection'
    Claim forcing updates on everyone is 'for their own protection'
    Still manage to get pwned by hackers


    Microsoft, you fucking fail IN SO MANY WAYS that I can't even begin to count them. You didn't 'improve' anything. You didn't 'secure' anything. You're not 'protecting' users. You just forced your gods-be-damned piece of shit OS on everyone like a gods-be-damned date-rapist, and didn't even
  • If you actually try to install a third party app to handle PDF's, (tested with sumatrapdf), windows 10 will intercept the file association change and revert it because it sees it as a hacking attempt. You must change it manually by going to the Default Programs option.

  • The best way to solve this problem is to change default PDF viewer setting & open PDF in any supported viewer like Microsoft Edge, Adobe Reader & Adobe DC. Follow the step in the blog of PDF file not opening in Microsoft Edge [systoolsgroup.com]. To change default PDF viewer setting.

Parts that positively cannot be assembled in improper order will be.

Working...