Two zero-day vulnerabilities disclosed after Foxit refuses to patch PDF Reader

Vendor: Safe Reading Mode can “effectively guard” against bugs

Two zero-day vulnerabilities disclosed after Foxit refuses to patch PDF Reader

Researchers have disclosed two zero-day vulnerabilities affecting Foxit's PDF Reader after the vendor revealed it has no plans to fix the security flaws.

On 17 August, responsible disclosure program Zero Day Initiative (ZDI) went public with the bugs its researchers found in Foxit's free PDF reader.

The first vulnerability (CVE-2017-10951) owes its existence to a lack of proper validation of a user-supplied string before the software's app.launchURL method executes a system call.

Foxit PDF Reader's second bug (CVE-2017-10952) also results from improper validation of user-supplied data, but it instead affects the saveAs JavaScript function.

Foxit readerWhen properly exploited, either of the flaws enables a remote attacker to execute arbitrary code.

ZDI's Ariele Caltabiano discovered the first flaw back in mid-May 2017, while Steven Seeley of Offensive Security found the second bug near the end of June.

Both researchers contacted Foxit about the issues shortly thereafter with the intention of following a 120-day responsible disclosure timeline. But they ultimately decided to disclose the flaws early after Foxit revealed it had no intention of fixing the bugs.

The vendor said as much in a statement provided to AusCERT:

"Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions."

That's all very well, but many of us are all too familiar with attacks which have seen innocent users duped into disabling safety features in order to allow poisonous payloads to execute.

Foxit could have used the patches to demonstrate that it takes its products' security seriously and on a timely change. What a welcome gesture that would have been to Foxit Reader users, especially those who embraced the software while fleeing past Adobe vulnerabilities.

I guess it's back to the drawing board for users who aren't running Foxit in Safe Reading mode.

For some other non-Adobe PDF readers, check out TechRadar's list. Just make sure you do your own research if you decide to go with one of these options. Don't download ANYTHING before you make sure the product has a good security record and will satisfy your needs.

Update: Foxit has released a security advisory, and confirmed that it will be issuing a security update to users:

"We plan to release a Reader/PhantomPDF 8.3.2 patch update this week (ETA Aug 25th) with additional guard against misuse of powerful (potentially insecure) JavaScript functions — this will make Foxit software equivalent to what Adobe does."

More information can be found in Foxit's security bulletin.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

,

4 Responses

  1. Leonard Rosenthol

    August 21, 2017 at 7:03 pm #

    Why would you mention flaws in Adobe Flash when talking about PDF viewing? Flash has nothing to do with PDF. Adobe Acrobat Reader, our PDF viewer, has seen no 0-days in years(!) and every single reported security report is fixed before it is reported to the public.

    I would think that if you are reporting on security concerns, you would recommend a product from a company that takes PDF security seriously.

    • Graham Cluley in reply to Leonard Rosenthol.

      August 21, 2017 at 7:32 pm #

      Hi Leonard

      I think you make a fair point. The original version of David's article referred to Flash vulnerabilities, which aren't really relevant to this discussion, and Adobe PDF Reader has become much much safer in recent years. I've edited the above to remove the reference.

      Still, there's a fair-sized community out there who deserted Adobe products years ago because of its past security screw-ups…

  2. Hero Wang

    August 22, 2017 at 10:38 am #

    Foxit has made an official statement on this issue, and is expected to release a improved version soon. https://www.foxitsoftware.com/support/security-bulletins.php

  3. SumatraUser

    August 22, 2017 at 7:09 pm #

    This is why I use SumatraPDF. It's so feature poor that the attack surface is almost non-existent.

Leave a Reply