Trend Micro’s Zero Day Initiative has released details about two remote code execution zero-day flaws affecting popular freemium PDF tool Foxit Reader.
The first one (CVE-2017-10951) is a command injection flaw that exists within the app.launchURL method, and arises because the method accepts more than just URLs as arguments. It does not filter file extensions, and therefore can be nade to launch executables. It was discovered by Ariele Caltabiano.
Steven Seeley, the researcher who flagged the flaw, “exploited this vulnerability by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary vbscript code on startup.”
Both vulnerabilities require user interaction to be exploited, e.g. the target must visit a malicious page or open a malicious file.
Also, both vulnerabilities can be exploited only if the application’s Safe Reading Mode is disabled.
Foxit Software were appraised of the discovery, but said they would not implement additional protection against exploitation.
Another good way to minimize the risk is to open only PDF files provided by a source you can trust (whether it’s a sender or a website).
UPDATE: Foxit Software got in touch and pointed out that their track record is strong in responding quickly in fixing vulnerabilities.
“We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. In the meantime, users can help protect themselves by using the Safe Reading Mode,” they explained.
“We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again.”