Security Alert: Critical Vulnerabilities Discovered in Foxit PDF Reader
Recent reports from security researchers have unveiled two significant zero-day vulnerabilities within Foxit PDF Reader that pose a serious threat to users. If exploited, these vulnerabilities could allow attackers to execute arbitrary code on targeted systems, particularly affecting those who do not utilize the software’s Safe Reading Mode.
The first vulnerability, identified as CVE-2017-10951, is a command injection flaw that was uncovered by Ariele Caltabiano, a member of Trend Micro’s Zero Day Initiative (ZDI). The second vulnerability, CVE-2017-10952, pertains to a file write issue discovered by Offensive Security researcher Steven Seeley. Both weaknesses can be exploited when users open specially crafted PDF files, potentially leading to severe security breaches.
Attackers could leverage these vulnerabilities by sending malicious PDFs to unsuspecting Foxit readers, prompting them to open the files. Although Foxit has emphasized that their Safe Reading Mode—enabled by default—provides a layer of protection by restricting JavaScript execution, researchers argue that this measure does not fully mitigate risks tied to the vulnerabilities. If attackers manage to circumvent Safe Reading Mode, the flaws could be exploited with grave consequences.
The CVE-2017-10951 vulnerability resides in a function called app.launchURL, which encourages the execution of attacker-provided strings on the targeted system due to insufficient validation. This flaw is particularly concerning and has been highlighted in accompanying demonstration videos.
CVE-2017-10952 exists within the “saveAs” JavaScript function, which permits the writing of arbitrary files at predefined locations on a system. This vulnerability has been demonstrated through techniques that illustrate how an attacker could embed a harmful HTA file within a document, facilitating the unauthorized execution of VBScript code upon startup.
Foxit has refuted the need for immediate patching, relying instead on the functionality of Safe Reading Mode. Nonetheless, security researchers point out that while this mode offers some protection, it does not entirely resolve the vulnerabilities. Any attempt to exploit them utilizing the JavaScript API remains a potential risk.
For those using Foxit Reader and PhantomPDF, it is crucial to confirm that Safe Reading Mode is enabled. Users might also consider disabling JavaScript actions through the Preferences menu for enhanced safety, although this could impair certain features.
Furthermore, vigilance is advisable when opening files received via email. As noted in previous reports, even common file types such as Microsoft PowerPoint have been associated with malware distribution, underscoring the importance of maintaining a cautious approach regarding email attachments.
In response to these vulnerabilities, a Foxit representative issued a statement asserting the company’s commitment to delivering secure PDF solutions. This response notes ongoing efforts to address the reported vulnerabilities while reaffirming the importance of utilizing Safe Reading Mode as a protective measure.
The implications of these vulnerabilities on business environments should not be underestimated. Targeted attacks leveraging such vulnerabilities may incorporate tactics identified in the MITRE ATT&CK framework, including initial access and execution techniques to infiltrate organizational systems.
In summary, business owners using Foxit PDF Reader must remain aware of these vulnerabilities and take proactive steps to safeguard their systems while anticipating potential exploitation tactics from malicious actors.