alphaspirit - Fotolia
Foxit Reader vulnerabilities: What can be done to mitigate them?
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the vulnerabilities and how to mitigate them.
My company uses Foxit Reader to track who opens a PDF document and what they do, and to notify readers of new updates. There were recently two critical, zero-day vulnerabilities found in Foxit Reader. What are the vulnerabilities, and what should be done to mitigate them?
Attackers can exploit the two Foxit Reader vulnerabilities by bypassing the default safe reading mode; the JavaScript API in Foxit Reader sets the stage for triggering them.
The first of the two Foxit Reader vulnerabilities -- CVE-2017-10951 -- is a command injection bug that was discovered by security researcher Ariele Caltabiano, who was working with Trend Micro's Zero Day Initiative.
The bug hides in applaunchURL, a JavaScript function. The function accepts any strings from any source, as it cannot properly validate them. In a simple scenario, the attacker crafts strings and injects them into the function. The attack begins when the victim gets a phishing email that looks like it is from a legitimate website. The attacker waits for the victim to click the attachment, which is made to look like a shipping order. The function is triggered to enable the attacker to remotely gain control of the victim's PC.
The second of the Foxit Reader vulnerabilities -- CVE-2017-10952 -- is a file write issue that was found by Offensive Security researcher Steven Seeley. It looks at the saveAs JavaScript function, which enables the attacker to save a document as a new file on the victim's PC.
In a simple scenario, the attack starts when the victim opens an email attachment that looks like a book order purchase. The document is embedded with an HTML application file containing malicious VBScript code. The JavaScript function is triggered as the victim saves the document. The attacker takes control of the victim's PC and crashes it.
Foxit refused to patch the two vulnerabilities because the patches would not work with safe reading mode. As a partial solution, the researchers recommend users stay away from suspicious-looking phishing emails and spam, ensure safe reading mode is enabled, and uncheck Enable JavaScript Actions from Foxit's preferences, although that may break some functionality.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)