Researchers have disclosed two zero-day vulnerabilities affecting Foxit’s PDF Reader after the vendor revealed it has no plans to fix the security flaws.
On 17 August, responsible disclosure program Zero Day Initiative (ZDI) went public with the bugs its researchers found in Foxit’s free PDF reader.
The first vulnerability (CVE-2017-10951) owes its existence to a lack of proper validation of a user-supplied string before the software’s app.launchURL method executes a system call.
Foxit PDF Reader’s second bug (CVE-2017-10952) also results from improper validation of user-supplied data, but it instead affects the saveAs JavaScript function.
ZDI’s Ariele Caltabiano discovered the first flaw back in mid-May 2017, while Steven Seeley of Offensive Security found the second bug near the end of June.
Both researchers contacted Foxit about the issues shortly thereafter with the intention of following a 120-day responsible disclosure timeline. But they ultimately decided to disclose the flaws early after Foxit revealed it had no intention of fixing the bugs.
The vendor said as much in a statement provided to AusCERT:
“Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions.”
That’s all very well, but many of us are all too familiar with attacks which have seen innocent users duped into disabling safety features in order to allow poisonous payloads to execute.
Foxit could have used the patches to demonstrate that it takes its products’ security seriously and on a timely change. What a welcome gesture that would have been to Foxit Reader users, especially those who embraced the software while fleeing past Adobe vulnerabilities.
I guess it’s back to the drawing board for users who aren’t running Foxit in Safe Reading mode.
For some other non-Adobe PDF readers, check out TechRadar’s list. Just make sure you do your own research if you decide to go with one of these options. Don’t download ANYTHING before you make sure the product has a good security record and will satisfy your needs.
Update: Foxit has released a security advisory, and confirmed that it will be issuing a security update to users:
“We plan to release a Reader/PhantomPDF 8.3.2 patch update this week (ETA Aug 25th) with additional guard against misuse of powerful (potentially insecure) JavaScript functions — this will make Foxit software equivalent to what Adobe does.”
More information can be found in Foxit’s security bulletin.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
Why would you mention flaws in Adobe Flash when talking about PDF viewing? Flash has nothing to do with PDF. Adobe Acrobat Reader, our PDF viewer, has seen no 0-days in years(!) and every single reported security report is fixed before it is reported to the public.
I would think that if you are reporting on security concerns, you would recommend a product from a company that takes PDF security seriously.
Hi Leonard
I think you make a fair point. The original version of David's article referred to Flash vulnerabilities, which aren't really relevant to this discussion, and Adobe PDF Reader has become much much safer in recent years. I've edited the above to remove the reference.
Still, there's a fair-sized community out there who deserted Adobe products years ago because of its past security screw-ups…
Foxit has made an official statement on this issue, and is expected to release a improved version soon. https://www.foxitsoftware.com/support/security-bulletins.php
This is why I use SumatraPDF. It's so feature poor that the attack surface is almost non-existent.