Foxit's updated PDF reader remains vulnerable to attack

Adds warning dialog, but malware embedded in PDFs still a danger, says researcher

Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability, Foxit Software patched its PDF viewer last week.

But the Belgium researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said today that Foxit's fix didn't protect users from his attack tactics.

The April 1 update to Foxit Reader, a popular alternative to Adobe's own Reader, adds a warning that pops up when a PDF tries to launch an executable, a function that's permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which already sports such a warning.

"Foxit adds prompts to all pop-ups within PDFs," said Christina Wu of Foxit in an e-mail reply to questions today. "For example, if there is a .txt or .exe file [that] is going to open within a PDF, the old version of Reader will launch the file by calling the associated program from your system, without any inquiry. [The update] will detect it and launch a prompt to ask you if you want to execute it or not."

Didier Stevens, the researcher who last week demonstrated a multi-stage attack using the /Launch function, said that his proof-of-concept code -- which he has not released to the public -- still works when pitted against the updated Foxit Reader.

"The interesting thing about this fix is that it breaks my Foxit [proof-of-concept, or PoC], but ... the Adobe PoC works for Foxit now," said Stevens in an entry on his blog today .

Previously, Stevens was forced to come up with a separate workaround to successfully attack Foxit with a malformed PDF.

Stevens' technique doesn't require an underlying vulnerability in either Adobe Reader or Foxit Reader; all attackers need to do is dupe users into opening a malicious PDF. And last week, Stevens said that although Adobe Reader displays a warning when an executable inside a PDF file is launched, he had found a way to partially modify Adobe's warning to encourage a potential victim to allow the launch action.

While that kind of social engineering-based attack is nothing new, until now hackers needed an exploit of an unpatched software vulnerability to pull off a successful attack delivered via PDFs. In other words, a Windows PC that has a fully-patched, up-to-date copy of Adobe Reader or Foxit Reader can be exploited via rogue PDFs using Stevens' strategy.

Didier did not reply today to a request seeking further comment about the Foxit update, or whether he was able to change that program's warning message, as he has been able to do to Adobe's.

Today, Stevens also confirmed that Adobe Reader users can defend their PCs by disabling the /Launch function, a crucial component of his attack. To do so, users must clear the check from the box marked "Allow opening of non-PDF file attachments with external applications" in the Trust Manager section of Reader's preferences.

Foxit does not have a similar setting.

Last week, Adobe acknowledged seeing Stevens' no-bug-needed proof-of-concept demonstration, but it did not commit to making any change in its PDF software, saying only that it was "always listening to and evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."

The updated Foxit Reader is available from the company's site .

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags pdf bug

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?