Annoying 'Open PDF In Edge' Default Option Puts Windows 10 Users At Risk (softpedia.com) 118
An anonymous reader writes from a report via Softpedia: Microsoft fixed today a serious security flaw in the Windows PDF Library, a standard library used by Windows 10 to open and render PDF files, embedded by default in Edge. Exploiting this flaw allows attackers to execute code on the user's machine and take over the device, just by tricking a user into accessing a PDF hosted online via Edge. Since Edge is not only the default browser in Windows 10, but also the default PDF reader, this flaw puts countless of users that have not changed those settings at risk. Even worse, Microsoft has the annoying habit of resetting your personal app preferences once in a blue moon, always reverting Edge as the default browser and the default app to open PDF files.
Re:Surprise surprise! (Score:5, Informative)
I think the bigger surprise was that Microsoft claims that UWP apps are sandboxed, only they're not.
Re: (Score:1)
I think that's Microsoft's way of resurrecting the browser wars of the 90's. They hope to win again under similar conditions as last time: Shut the competitors out of your operating system by making it disfavor them. Though this time it's different -- they no longer control the computing platform of the masses -- control of that now resides in the hands of Google.
Re: (Score:3)
They should first finish the browser before trying to compete.
Last time I checked, Edge didn't support desktop drag&drop, which all major browsers (including Internet Explorer) have for many years.
Microsoft is relentless in being obnoxious lately (Score:5, Insightful)
Re:Microsoft is relentless in being obnoxious late (Score:5, Insightful)
Because fuck you, that's why. - S. Nadella
Re: (Score:3)
Which I had mod point, certainly, you have nailed it.
Re:Microsoft is relentless in being obnoxious late (Score:5, Insightful)
Easy: it's ALL about money. What you want or need is *completely* irrelevant. Every update, they'll revert the privacy settings to spy on you more, they'll reinstall the metro/whatever apps you uninstalled because you WILL use the appy apps! Then they reset the defaults to those appy apps. All that, because they'll make 30% cut of the appy app sales. Now, be a good consumer and keep using Windows 10! It's been going in that direction steadily for 5 years (since Windows 8) and it'll keep getting worse. MS no longer cares to even pretend they care about what people want or need. Users are there for the milking and that is all.
Re: Microsoft is relentless in being obnoxious lat (Score:2)
Re: (Score:2)
How is that different from any profit organization?
Re: (Score:3, Funny)
It could be worse, they could flag your preferred program as incompatible and helpfully uninstall it for you.
Re: (Score:3)
Damn it man, don't give them ideas.
Re: (Score:1)
Re: (Score:2)
They already did it with the Windows 10 Anniversary update, which helpfully uninstalls Classic Shell so they pump ads at through that abomination of visual vomit that replaced the Start Menu.
Re: (Score:1)
Why are they obviously purposefully reverting my settings?
Think of it as early onset of dementia. Microsoft is just becoming a bit forgetful, and left its dentures in the refrigerator again.
Re: (Score:1)
rename the edge executable and watch it fail instead of loading. You have to kill the persistent edge process and open a cmd prompt as administrator to do the deed.
It's entirely ridiculous that I had to go to such lengths, but it worked.
Re: (Score:3)
Microsoft wants you to use Edge and wants their settings to stick. Why are you obviously purposefully reverting their settings? They go out of their way to create a normal default setting and you switch it back. Many times this has happened. There's no excuse for this horseshit.
FTFY.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Now, setting new defaults through the Windows 10 interface is difficult, and, yes, you must use the Windows 7 interface to do so. That is pretty shitty. I went through it the other day to change defaults and noticed you couldn't pick an executable, only from their preset list of apps through the Windows 10 setup control.
Re: (Score:3)
Nanny knows best!
Re: (Score:2)
Because Facebook conditioned people to expect settings to reset randomly. So why wouldn't companies take advantage of that?
Re: (Score:2)
Moral: Quit trying to change the way Microsofts computer runs and use it the way you are supposed to.
Ah, rebooting into Ubuntu.
Re: (Score:3)
Fools stay in an abusive relationship and complain about it.
Re:Microsoft is relentless in being obnoxious late (Score:4, Insightful)
MS is just doing what it thinks is the, uhm, needful.
At risk of what?? (Score:5, Funny)
At risk of opening a PDF? Why not automatically open the PDF in protected mode? Surely Edge is advanced enough not to open a PDF with full access permissions to running macros and such?? I mean, Edge can even do WebRTC so at long last Microsoft is catching up to the rest of the world. Surely security considerations can't be far behind. Right? GUYS??
Re: (Score:2)
Making satay with nutella instead of peanut sauce?
Re:At risk of what?? (Score:4, Informative)
Joke or not, this is not due to functionality in PDF files macros, but a memory corruption issue leading to code execution. The exact same type of thing that happens with most Adobe Reader vulnerabilities. The only difference is the choice in vendor for your bugs.
Re: (Score:3)
And yes. Reader has a sandbox, but that's only an extra layer - not foolproof.
Re: (Score:2)
What I wonder is why edge hasn't. I mean common, its initial release was in an age where chrome was the most popular browser, and chrome does run its pdf reader in a sandbox (afaik).
Re: (Score:2)
Chrome runs it's PDF plugin in a separate process in a sandbox via PPAPI
You could disable it an run PDF.js if you wanted to, which only uses standard HTML5 to render the PDF.
Re: (Score:2)
What did Microsoft coed their PDF viewer in? Microsoft touts how managed code runs almost as fast as native and is perfectly safe. So why didn't they write their PDF code in it?
Re: (Score:2)
Seems to me you can either use managed code or get work done.
Re: (Score:2, Insightful)
Edge is a steaming pile of shit. It has to be the worst browser by a major software developer in 20 years.
Re: (Score:2)
Actually, Microsoft has just patented a new solution. It's called MS CP. Know by it's long name: Microsoft Cellulose Pulp. This new product is impervious to all known attack vectors and requires no battery power to operate. This new technology will be available in the Second Anniversary Update, due out after the 18 month divorce update is released.
On a side note, Amazon, maker of the Kindle Paper White, is suing MS for creating a product similar in name.
Lawyers from Oracle have filed 1435 various lawsuits,
Edge vs IE11 (Score:3)
I use Ubuntu and Windows10 for differing tasks, but I really dislike Edge, and I have since the beginning been using IE11 on Win10. Not that I am disputing it happens but I've not had my defaults reset from what I chose when I 'upgraded' my laptop from Win7 to Win10. In favor of Win10 both the sleep and hibernate function work well now, whereas under Win7 they froze or locked up quite frequently.
Re: (Score:2)
What is up with the Softpedia? Isn't that the website that distributes malware laden software?
I though that was sourceforge
Microsoft: convenience over security (Score:5, Insightful)
...Since Edge is not only the default browser in Windows 10, but also the default PDF reader...
This is so wrong on so many levels.
.
But fundamentally, why, oh, why, is the browser being promoted to being a viewer of non-HTML documents?
Convenience over security still seems to be the rule at Microsoft.
Has Microsoft learned nothing in the past two decades?
And Windows 10 was supposed to be the paradigm of security for Windows....
Re: (Score:3, Informative)
I'll mention that Chrome I think was the first of the browsers to start the native PDF rendering without a plugin. In this case Microsoft is following Google's lead.
Personally I haven't had my Windows 10 settings revert away from my alternate PDF reader that I set as the default viewer but with the we'll say 'quirks' of Windows 10 I'm not at all surprised if that has happened to people.
Re: (Score:1)
Huh? Chrome PDF Viewer still is a plugin to this day. chrome://plugins/
Re: (Score:2)
I'll mention that Chrome I think was the first of the browsers to start the native PDF rendering without a plugin. In this case Microsoft is following Google's lead.
No. That would likely be OS X/macOS Safari.
But that isn't surprising, since the OS has had system-wide native PDF read/write support since day one.
Re: (Score:2)
Re: (Score:2)
Other than pdf.js.
Re: (Score:2)
Probably pretty well. One of the reasons why PDF is such a security mess (other than Adobe) is because it has such a huge attack surface. There's tons of features, many of which are seldom used, that allows PDF to do almost anything (well, actually a lot of that is Adobe's fault, actually). Remove support for all of those features and you're going to have a much more secure program that will still work for 99%+ of PDF files out there.
Re: (Score:3)
Ignoring that Firefox and Chrome were doing it first?
Re: (Score:2)
Chrome and Firefox open PDFs that you browse to in those browsers with their PDF readers, not any PDF you get via email or whatever. So that's less attack surface.
Furthermore, Firefox uses pdf.js which is basically a Web app, so there's almost no additional attack surface over just visiting a Web page ... which you were already using Firefox to do.
Re: (Score:1)
Wrong. In the ansence of another PDF Reader Chrome will open downloaded PDFs.
Re: (Score:2)
The reason is pretty obvious, and it's not convenience. Microsoft needs to increase Edge usage however they can, and this is one way.
Re: (Score:2)
But fundamentally, why, oh, why, is the browser being promoted to being a viewer of non-HTML documents?
For the best of reasons, convenience and user experience. OK, so in this particular case so Microsoft makes more money. But generally users want to view content as quickly and conveniently as possible, and displaying it within the browser while browsing makes a lot of sense. I wouldn't mind being able to view documents and spreadsheets in-browser either. If they do it right.
On that note, I hope there's a particularly nasty place in hell for whoever decided to make Firefox's default pdf viewer so it only loa
Re: (Score:1)
Re: (Score:1)
Oh, it is: Windows 10 is making Microsoft feel very secure!
Re: (Score:2)
Due to staff turnover they have not. Hence WinME, Vista, Win8 when they have a new batch of people and Win2K/XP and Win7 when that batch have gained some experience.
Re: (Score:1)
It's bitztream, the autism-hating Slashdot troll!
alternative (Score:2, Insightful)
Use Sumatra (Score:2)
Case closed.
Re: (Score:2)
I have time for an external viewer when pdf.js performs poorly on old hardware, whereas sumatra and atril don't choke.
Re: (Score:1)
What year is this? Apparently the dark ages just called on the land-line and wants us to download a stand-alone PDF reader. LOLwut? We ain't got time fo' dat. Just click on the link in your browser. Chrome and Firefox both support PDF (R.I.P. Adobe).
Yo dawg!
I don't always want to fucking read the fucking pdf in my fucking browser, so I download it for later viewing in a proper program.
Re: (Score:2)
What year is this? Apparently the dark ages just called on the land-line and wants us to download a stand-alone PDF reader. LOLwut? We ain't got time fo' dat. Just click on the link in your browser. Chrome and Firefox both support PDF (R.I.P. Adobe).
Or just do it the right way, an build native PDF read/write support directly into the OS, like OS X/macOS has since day one. And yes, I realize they inherited that from NeXTStep; but that was SIXTEEN years ago, and STILL nobody else does it.
Re: (Score:2)
Yeah, just what we need: another massive security vulnerability built into the OS. No thanks. Apple got this wrong. PDF belongs in a userspace sandbox.
1. Then how come in SIXTEEN YEARS, no one has exploited the PDF services in OS X? 2. Apple != Adobe 3. Adobe's PDF vulnerabilities have been all, or mostly all, Userspace code. So now what?
I am fascinated by all the genius in this world (Score:1)
And we still can't make a robust computer. But then I have to remind myself that we rode horses and even had the wheel for over ten thousand years before we invented an automobile with fine Corinthian Leather. So, I guess I should be patient.
Re: (Score:2)
"So, I guess I should be patient."
patient [pey-shuh nt] noun
1.a person who is under medical care or treatment.
2.a person or thing that undergoes some action.
3.Archaic. a sufferer or victim.
adjective
4.bearing provocation, annoyance, misfortune, delay, hardship, pain, etc., with fortitude and calm and without complaint, anger, or the like.
5.characterized by or expressing such a quality:
a patient smile.
6.quietly and steadily persevering or diligent, especially in detail or exactness:
a patient worker.
7.undergoi
Re: (Score:1)
And we still can't make a robust computer.
I know that I will be stating the obvious to most Slashdot readers here, but apparently the parent doesn't get it. Modern computers are complex. Taken as a whole, modern computers and the software that they run are among the most complex devices ever devised by man. Imagine a machine with millions of moving parts that's highly intolerant of errors and you'll have some idea. We put up with this complexity and its inherent problems because the benefits of computing far outweigh the costs in most cases.
Re: (Score:2)
Re: (Score:2)
The 747, which you use as an example, is considerably less complex than a large software system because it's got a lot more locality and simple redundancy. Half the parts are fasteners, and fasteners have a local effect. It's easy to put redundant fasteners nearby so that the failure of one will not cause additional problems. It's a lot harder to do similar things in software. The 747 first flew in 1969, doing pretty much what it does now, and there's been a lot of development over more than forty-five
Same old Microsoft policy (Score:1)
Well, yes and no... (Score:2)
"Annoying 'Open PDF In Edge' Default Option Puts Windows 10 Users At Risk "
Only for the few Windows 10 users who use Edge.
You have two types of Windows 10 users... those who use Chrome, and those who still want to use IE.
Re: (Score:2)
So what is the "best" PDF display choice for Win10 (Score:2)
What is the best PDF display choice for Windows 10?
I'll admit to using Edge just out of sheer laziness on a fairly new Win 10 laptop just to avoid Acrobat Reader. From file explorer, I usually point them to Chrome.
It seemed like for years Reader was a big security problem. The last time I looked at third party PDF display software, it was a maze of spyware and nagware with no obvious great replacement.
Thanks so much, Microsoft assholes (Score:2)
Claim the spying and pnwage of people's computer is 'for their own protection'
Claim forcing updates on everyone is 'for their own protection'
Still manage to get pwned by hackers
Microsoft, you fucking fail IN SO MANY WAYS that I can't even begin to count them. You didn't 'improve' anything. You didn't 'secure' anything. You're not 'protecting' users. You just forced your gods-be-damned piece of shit OS on everyone like a gods-be-damned date-rapist, and didn't even
It gets worse (Score:2)
If you actually try to install a third party app to handle PDF's, (tested with sumatrapdf), windows 10 will intercept the file association change and revert it because it sees it as a hacking attempt. You must change it manually by going to the Default Programs option.
Change default PDF setting (Score:1)
The best way to solve this problem is to change default PDF viewer setting & open PDF in any supported viewer like Microsoft Edge, Adobe Reader & Adobe DC. Follow the step in the blog of PDF file not opening in Microsoft Edge [systoolsgroup.com]. To change default PDF viewer setting.