Number: AL17-010
Date: 18 August 2017
Purpose
The purpose of this alert is to bring attention to two recently disclosed zero-day vulnerabilities in Foxit Reader.
Assessment
Through open source reporting, CCIRC has been made aware of two recently disclosed zero-day vulnerabilities in Foxit Reader software that, when exploited though the JavaScript API in Foxit Reader, can allow remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. However, user interaction is required to exploit both vulnerabilities in that the target must visit a malicious page or open a malicious file.
Foxit Reader is a popular free PDF reader that is distributed by many websites. There are also Foxit Reader plugins for Microsoft Office programs including Word, Excel and PowerPoint.
According to the security firm who has discovered the vulnerabilities, the vendor has decided to not fix the vulnerabilities because an attacker would need to bypass safe reading mode. This potentially however leaves the user exposed to high-impact vulnerabilities should a new technique arise allowing malicious actors to bypass the safe reading mode.
Suggested Action
Due to the risks that those vulnerabilities present, CCIRC recommends that system administrators restrain or limit the interactions with Foxit Reader and/or make sure that the safe reading mode is always activated.
References:
https://www.zerodayinitiative.com/blog/2017/8/17/busting-myths-in-foxit-reader
http://www.zerodayinitiative.com/advisories/ZDI-17-691/
http://www.zerodayinitiative.com/advisories/ZDI-17-692/