Two Serious Security Flaws Outfox Foxit Reader
Say what you will about public shaming, but it does sometimes get results. Researchers discovered two huge flaws in Foxit Reader, a freemium, lightweight, ubiquitous PDF reader. Rather than patch the flaws in its product, Foxit Software claimed that its existing options were protection enough — until the findings went public, anyway. Now, Foxit Software is hard at work on a patch, but there are still steps you can take to stay secure in the meantime.
The information about the flaws comes from Tokyo-based security firm Trend Micro’s Zero Day Initiative program. ZDI invites security researchers to share information about flaws discovered in the wild, then shares that information with developers and, if necessary, the general public.
Researchers Steven Seeley and Ariele Caltabiano (neither of whom is directly affiliated with Trend Micro) discovered two huge vulnerabilities in Foxit Reader back in May and June. In late July, after looking into the issue, Foxit Software decided that issuing a fix wouldn’t be necessary.
To fully understand the threat (and how to protect yourself), users should understand how the vulnerabilities work. Without going into exhausting detail, both flaws could let malefactors attack a system by distributing malicious files. Foxit Reader’s URL parser can be tricked into loading malicious websites, or even files that aren’t URLs at all. Likewise, its “saveAs” feature could be manipulated into loading malicious programs during a computer’s startup procedure.
The exact mechanisms of each flaw are a bit complicated. Suffice to say that each one could run malicious code on an unsuspecting user’s machine — even though they do require user interaction. But it’s easy enough to distribute a fake PDF online and seed it with malware.
Foxit Software argued, at first, that Foxit Reader's Safe Reading Mode feature was enough to protect users. And that’s true: by default, Foxit Reader’s Safe Reading Mode is active, and prevents the program from loading up malicious sites or files. However, like any safeguard, it can be overzealous, and deactivating it might be necessary for more advanced users.
Believing that Foxit Software was unwilling to patch its program, ZDI made its findings public. Shortly thereafter, Foxit Software contacted the researchers once again:
“Our track record is strong in responding quickly in fixing vulnerabilities. We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. … We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again.”
So there you have it. Foxit Reader has been, well, outfoxed, but the company is doing its best to mitigate the damage. In the meantime, keep Safe Reading Mode active, and you’ll stop potential cybercriminals from viewing you as prey.
Image credit: Public domain