Critical vulnerabilities have been discovered in Foxit PDF Reader

  • 144
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    145
    Shares

Security researchers (Steven Seeley (mr_me) and Ariele Caltabiano (kimiya)) have found two dangerous zero-day security vulnerabilities in Foxit Reader, the vulnerabilities are Command Injection and File Write bugs that can be triggered through the JavaScript API in Foxit PDF Reader.

In order to exploit these issues, an attacker would need to bypass Safe Reading Mode. The vulnerabilities could enable attackers to execute arbitrary code on vulnerable installations of Foxit Reader.

Unfortunately, the company decided not to patch the vulnerabilities and provided the following statement:
“Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions.”

The first flaw (CVE-2017-10951) allows remote attackers to execute arbitrary code on a targeted machine. User interaction is needed to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The second flaw (CVE-2017-10952) enables remote attackers to execute arbitrary code on a targeted machine. User interaction is also needed to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

“It’s quite amazing how much we can find by digging behind the scenes into Foxit’s JavaScript API. Users of Foxit’s Reader and PhantomPDF should ensure they have Safe Reading Mode and hope attackers don’t discover a way to disable it. Additionally, you can uncheck the “Enable JavaScript Actions” from Foxit’s Preferences menu, although this may break some functionality.”

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply