The Zero Day Initiative is taking the makers of the Foxit free PDF reader to task for failing to fix two zero-day vulnerabilities that would allow a remote attacker to execute arbitrary code on vulnerable installations of Foxit Reader.
The vulnerabilities, CVE-2017-10951 and CVE-2017-10952, are Command and Injection and File Write flaws that are triggered through the reader's JavaScript API when the Safe Reading Mode is bypassed, ZDI wrote. ZDI informed Foxit of the issues, but the company declined to make any changes.
“Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions,” was Foxit's response to ZDI, the latter said.
ZDI disagreed with this analysis. The researcher who found CVE-2017-10951, Ariele Caltabianio, said the reader does not check whether the input data is a URL, which should be the only thing accepted, but instead will accept full paths. The reader also does not filter any file extensions allowing an outsider to execute commands. A similar issue had previously been found in Adobe Reader.
However, Foxit told SC Media that it is moving to fix the issue.
"We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. In the meantime, users can help protect themselves by using the Safe Reading Mode. We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again," a spokesperson said.