Security researchers (Steven Seeley (mr_me) and Ariele Caltabiano (kimiya)) have found two dangerous zero-day security vulnerabilities in Foxit Reader, the vulnerabilities are Command Injection and File Write bugs that can be triggered through the JavaScript API in Foxit PDF Reader.
In order to exploit these issues, an attacker would need to bypass Safe Reading Mode. The vulnerabilities could enable attackers to execute arbitrary code on vulnerable installations of Foxit Reader.
Unfortunately, the company decided not to patch the vulnerabilities and provided the following statement:
“Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions.”
The first flaw (CVE-2017-10951) allows remote attackers to execute arbitrary code on a targeted machine. User interaction is needed to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The second flaw (CVE-2017-10952) enables remote attackers to execute arbitrary code on a targeted machine. User interaction is also needed to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
“It’s quite amazing how much we can find by digging behind the scenes into Foxit’s JavaScript API. Users of Foxit’s Reader and PhantomPDF should ensure they have Safe Reading Mode and hope attackers don’t discover a way to disable it. Additionally, you can uncheck the “Enable JavaScript Actions” from Foxit’s Preferences menu, although this may break some functionality.”