Researchers have disclosed two zero-day vulnerabilities affecting Foxit’s PDF Reader after the vendor revealed it has no plans to fix the security flaws.
On 17 August, responsible disclosure program Zero Day Initiative (ZDI) went public with the bugs its researchers found in Foxit’s free PDF reader.
The first vulnerability (CVE-2017-10951) owes its existence to a lack of proper validation of a user-supplied string before the software’s app.launchURL method executes a system call.
ZDI’s Ariele Caltabiano discovered the first flaw back in mid-May 2017, while Steven Seeley of Offensive Security found the second bug near the end of June.
Both researchers contacted Foxit about the issues shortly thereafter with the intention of following a 120-day responsible disclosure timeline. But they ultimately decided to disclose the flaws early after Foxit revealed it had no intention of fixing the bugs.
The vendor said as much in a statement provided to AusCERT:
That’s all very well, but many of us are all too familiar with attacks which have seen innocent users duped into disabling safety features in order to allow poisonous payloads to execute.
Foxit could have used the patches to demonstrate that it takes its products’ security seriously and on a timely change. What a welcome gesture that would have been to Foxit Reader users, especially those who embraced the software while fleeing past Adobe vulnerabilities.
I guess it’s back to the drawing board for users who aren’t running Foxit in Safe Reading mode.
For some other non-Adobe PDF readers, check out TechRadar’s list. Just make sure you do your own research if you decide to go with one of these options. Don’t download ANYTHING before you make sure the product has a good security record and will satisfy your needs.
Update: Foxit has released a security advisory, and confirmed that it will be issuing a security update to users:
More information can be found in Foxit’s security bulletin.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.