Two zero-day vulnerabilities disclosed after Foxit refuses to patch PDF Reader

Vendor: Safe Reading Mode can “effectively guard” against bugs

David bisson
David Bisson
@
@DMBisson

Two zero-day vulnerabilities disclosed after Foxit refuses to patch PDF Reader

Researchers have disclosed two zero-day vulnerabilities affecting Foxit’s PDF Reader after the vendor revealed it has no plans to fix the security flaws.

On 17 August, responsible disclosure program Zero Day Initiative (ZDI) went public with the bugs its researchers found in Foxit’s free PDF reader.

The first vulnerability (CVE-2017-10951) owes its existence to a lack of proper validation of a user-supplied string before the software’s app.launchURL method executes a system call.

Sign up to our free newsletter.
Security news, advice, and tips.

Foxit PDF Reader’s second bug (CVE-2017-10952) also results from improper validation of user-supplied data, but it instead affects the saveAs JavaScript function.

Foxit reader When properly exploited, either of the flaws enables a remote attacker to execute arbitrary code.

ZDI’s Ariele Caltabiano discovered the first flaw back in mid-May 2017, while Steven Seeley of Offensive Security found the second bug near the end of June.

Both researchers contacted Foxit about the issues shortly thereafter with the intention of following a 120-day responsible disclosure timeline. But they ultimately decided to disclose the flaws early after Foxit revealed it had no intention of fixing the bugs.

The vendor said as much in a statement provided to AusCERT:

“Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions.”

That’s all very well, but many of us are all too familiar with attacks which have seen innocent users duped into disabling safety features in order to allow poisonous payloads to execute.

Foxit could have used the patches to demonstrate that it takes its products’ security seriously and on a timely change. What a welcome gesture that would have been to Foxit Reader users, especially those who embraced the software while fleeing past Adobe vulnerabilities.

I guess it’s back to the drawing board for users who aren’t running Foxit in Safe Reading mode.

For some other non-Adobe PDF readers, check out TechRadar’s list. Just make sure you do your own research if you decide to go with one of these options. Don’t download ANYTHING before you make sure the product has a good security record and will satisfy your needs.

Update: Foxit has released a security advisory, and confirmed that it will be issuing a security update to users:

“We plan to release a Reader/PhantomPDF 8.3.2 patch update this week (ETA Aug 25th) with additional guard against misuse of powerful (potentially insecure) JavaScript functions — this will make Foxit software equivalent to what Adobe does.”

More information can be found in Foxit’s security bulletin.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

4 comments on “Two zero-day vulnerabilities disclosed after Foxit refuses to patch PDF Reader”

  1. Leonard Rosenthol

    Why would you mention flaws in Adobe Flash when talking about PDF viewing? Flash has nothing to do with PDF. Adobe Acrobat Reader, our PDF viewer, has seen no 0-days in years(!) and every single reported security report is fixed before it is reported to the public.

    I would think that if you are reporting on security concerns, you would recommend a product from a company that takes PDF security seriously.

    1. Hi Leonard

      I think you make a fair point. The original version of David's article referred to Flash vulnerabilities, which aren't really relevant to this discussion, and Adobe PDF Reader has become much much safer in recent years. I've edited the above to remove the reference.

      Still, there's a fair-sized community out there who deserted Adobe products years ago because of its past security screw-ups…

  2. Hero Wang

    Foxit has made an official statement on this issue, and is expected to release a improved version soon. https://www.foxitsoftware.com/support/security-bulletins.php

  3. SumatraUser

    This is why I use SumatraPDF. It's so feature poor that the attack surface is almost non-existent.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.