Foxit's updated PDF reader remains vulnerable to attack

Adds warning dialog, but malware embedded in PDFs still a danger, says researcher

Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability, Foxit Software patched its PDF viewer last week.

But the Belgium researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said today that Foxit's fix didn't protect users from his attack tactics.

The April 1 update to Foxit Reader, a popular alternative to Adobe's own Reader, adds a warning that pops up when a PDF tries to launch an executable, a function that's permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which already sports such a warning.

"Foxit adds prompts to all pop-ups within PDFs," said Christina Wu of Foxit in an e-mail reply to questions today. "For example, if there is a .txt or .exe file [that] is going to open within a PDF, the old version of Reader will launch the file by calling the associated program from your system, without any inquiry. [The update] will detect it and launch a prompt to ask you if you want to execute it or not."

Didier Stevens, the researcher who last week demonstrated a multi-stage attack using the /Launch function, said that his proof-of-concept code -- which he has not released to the public -- still works when pitted against the updated Foxit Reader.

"The interesting thing about this fix is that it breaks my Foxit [proof-of-concept, or PoC], but ... the Adobe PoC works for Foxit now," said Stevens in an entry on his blog today .

Previously, Stevens was forced to come up with a separate workaround to successfully attack Foxit with a malformed PDF.

Stevens' technique doesn't require an underlying vulnerability in either Adobe Reader or Foxit Reader; all attackers need to do is dupe users into opening a malicious PDF. And last week, Stevens said that although Adobe Reader displays a warning when an executable inside a PDF file is launched, he had found a way to partially modify Adobe's warning to encourage a potential victim to allow the launch action.

While that kind of social engineering-based attack is nothing new, until now hackers needed an exploit of an unpatched software vulnerability to pull off a successful attack delivered via PDFs. In other words, a Windows PC that has a fully-patched, up-to-date copy of Adobe Reader or Foxit Reader can be exploited via rogue PDFs using Stevens' strategy.

Didier did not reply today to a request seeking further comment about the Foxit update, or whether he was able to change that program's warning message, as he has been able to do to Adobe's.

Today, Stevens also confirmed that Adobe Reader users can defend their PCs by disabling the /Launch function, a crucial component of his attack. To do so, users must clear the check from the box marked "Allow opening of non-PDF file attachments with external applications" in the Trust Manager section of Reader's preferences.

Foxit does not have a similar setting.

Last week, Adobe acknowledged seeing Stevens' no-bug-needed proof-of-concept demonstration, but it did not commit to making any change in its PDF software, saying only that it was "always listening to and evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."

The updated Foxit Reader is available from the company's site .

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Tags securitypdf bug

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?