Foxit PDF Reader is well and truly foxed up, but vendor won't patch

We've got Safe Mode and that's safe enough, vendor tells ~400m users

Updated The Zero Day Initiative (ZDI) has gone public with a Foxit PDF Reader vulnerability without a fix, because the vendor resisted patching.

The ZDI made the decision last week that the two vulns, CVE-2017-10951 and CVE-2017-10952, warranted release so at least some of Foxit's 400 million users could protect themselves.

In both cases, the only chance at mitigation is to use the software's "Secure Mode" when opening files, something that users might skip in normal circumstances.

CVE-2017-10951 allows the the app.launchURL method to execute a system call from a user-supplied string, with insufficient validation.

CVE-2017-10952 means the saveAs JavaScript function doesn't validate what the user supplies, letting an attacker write "arbitrary files into attacker controlled locations."

Both are restricted to execution with the user's rights.

No fix

ZDI went public after its usual 120-day cycle because the authors made it clear no fix was coming, with this response:

"Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions."

Foxit Software appears to be content to suggest users run its wares in Safe Mode, as its security advisories home page offers that advice for bugs identified in 2011.

The company did patch a dirty dozen bugs in 2016. ®

Update: On August 22, Foxit decided mitigation is necessary, as noted here.


Biting the hand that feeds IT © 1998–2017