In an about-face, Foxit Software says it will fix a pair of zero days in its PDF reader Foxit Reader and PhantomPDF, its PDF editing software.
Foxit said it would push a patch for Reader and PhantomPDF, bringing the software to version 8.3.2, later this week—by Friday at the latest. The fixes come following a lengthy back and forth between the Zero Day Initiative and Foxit, which said several weeks ago it would not fix the vulnerabilities. ZDI had disclosed the bugs back in May.
Ariele Caltabiano and Steven Seeley, the researchers who found the bugs and worked with ZDI, discovered they could be triggered through Foxit Reader’s JavaScript API. The bugs, command injection and file write vulnerabilities, can be exploited if an attacker bypassed Safe Reading Mode, a feature added to Foxit in 2010 to prevent unwanted PDF file actions, the researchers warn.
While Safe Reading Mode is enabled by default in both PhantomPDF and Foxit Reader, a user can disable it via the software’s preference settings.
Assuming an attacker could get a victim to visit a malicious page or open a malicious file, the file-write vulnerability could let a remote attacker execute arbitrary code. The flaw stems from the software’s saveAs JavaScript function, which fails to properly validate user-supplied data.
The second bug, the command injection vulnerability, could also let an attacker execute arbitrary code under the same conditions. That bug stemmed from software’s app.launchURL method.
“The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call,” the Zero Day Initiative said in its disclosure of the bug on Aug. 17, “An attacker can leverage this vulnerability to execute code under the context of the current process.”
Foxit said it couldn’t reproduce the issues ZDI described in June, and in July said it wouldn’t fix the vulnerabilities because they could be mitigated through the software’s Secure Mode. That solution didn’t cut it for ZDI, which told the company on Aug. 8 it would move the vulnerabilities to zero-day status. As promised, the ZDI released details around both vulnerabilities, CVE-2017-10952 and CVE-2017-10951, in a blog post last Thursday.
Foxit issued a statement apologizing for what it called its initial miscommunication leading up to the fixes last week.
“Foxit Software is deeply committed to delivering secure PDF products to its customers. Our track record is strong in responding quickly in fixing vulnerabilities. We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again.”
The company clarified on Tuesday that it plans on adding a mitigation to both PDF readers to ensure that only certified documents can run JavaScript functions when Safe Reading Mode is turned off. The code will “check if the document is digitally signed by a verifiable/trustworthy person of entity,” and make Foxit software “equivalent to what Adobe does” according to the company.
Until it issues the patches, Foxit is encouraging PhantomPDF and Reader users not to change the software’s default setting to disallow JavaScript execution until the user can verify the source of document.