In an about-face, Foxit Software says it will fix a pair of zero days in its PDF reader Foxit Reader and PhantomPDF, its PDF editing software.
Foxit said it would push a patch for Reader and PhantomPDF, bringing the software to version 8.3.2, later this week—by Friday at the latest. The fixes come following a lengthy back and forth between the Zero Day Initiative and Foxit, which said several weeks ago it would not fix the vulnerabilities. ZDI had disclosed the bugs back in May.
While Safe Reading Mode is enabled by default in both PhantomPDF and Foxit Reader, a user can disable it via the software’s preference settings.
The second bug, the command injection vulnerability, could also let an attacker execute arbitrary code under the same conditions. That bug stemmed from software’s app.launchURL method.
“The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call,” the Zero Day Initiative said in its disclosure of the bug on Aug. 17, “An attacker can leverage this vulnerability to execute code under the context of the current process.”
Foxit said it couldn’t reproduce the issues ZDI described in June, and in July said it wouldn’t fix the vulnerabilities because they could be mitigated through the software’s Secure Mode. That solution didn’t cut it for ZDI, which told the company on Aug. 8 it would move the vulnerabilities to zero-day status. As promised, the ZDI released details around both vulnerabilities, CVE-2017-10952 and CVE-2017-10951, in a blog post last Thursday.
Foxit issued a statement apologizing for what it called its initial miscommunication leading up to the fixes last week.
“Foxit Software is deeply committed to delivering secure PDF products to its customers. Our track record is strong in responding quickly in fixing vulnerabilities. We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again.”