Foxit's updated PDF reader remains vulnerable to attack

Adds warning dialog, but malware embedded in PDFs still a danger, says researcher

Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability, Foxit Software patched its PDF viewer last week.

But the Belgium researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said today that Foxit's fix didn't protect users from his attack tactics.

The April 1 update to Foxit Reader, a popular alternative to Adobe's own Reader, adds a warning that pops up when a PDF tries to launch an executable, a function that's permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which already sports such a warning.

"Foxit adds prompts to all pop-ups within PDFs," said Christina Wu of Foxit in an e-mail reply to questions today. "For example, if there is a .txt or .exe file [that] is going to open within a PDF, the old version of Reader will launch the file by calling the associated program from your system, without any inquiry. [The update] will detect it and launch a prompt to ask you if you want to execute it or not."

Didier Stevens, the researcher who last week demonstrated a multi-stage attack using the /Launch function, said that his proof-of-concept code -- which he has not released to the public -- still works when pitted against the updated Foxit Reader.

"The interesting thing about this fix is that it breaks my Foxit [proof-of-concept, or PoC], but ... the Adobe PoC works for Foxit now," said Stevens in an entry on his blog today .

Previously, Stevens was forced to come up with a separate workaround to successfully attack Foxit with a malformed PDF.

Stevens' technique doesn't require an underlying vulnerability in either Adobe Reader or Foxit Reader; all attackers need to do is dupe users into opening a malicious PDF. And last week, Stevens said that although Adobe Reader displays a warning when an executable inside a PDF file is launched, he had found a way to partially modify Adobe's warning to encourage a potential victim to allow the launch action.

While that kind of social engineering-based attack is nothing new, until now hackers needed an exploit of an unpatched software vulnerability to pull off a successful attack delivered via PDFs. In other words, a Windows PC that has a fully-patched, up-to-date copy of Adobe Reader or Foxit Reader can be exploited via rogue PDFs using Stevens' strategy.

Didier did not reply today to a request seeking further comment about the Foxit update, or whether he was able to change that program's warning message, as he has been able to do to Adobe's.

Today, Stevens also confirmed that Adobe Reader users can defend their PCs by disabling the /Launch function, a crucial component of his attack. To do so, users must clear the check from the box marked "Allow opening of non-PDF file attachments with external applications" in the Trust Manager section of Reader's preferences.

Foxit does not have a similar setting.

Last week, Adobe acknowledged seeing Stevens' no-bug-needed proof-of-concept demonstration, but it did not commit to making any change in its PDF software, saying only that it was "always listening to and evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."

The updated Foxit Reader is available from the company's site .

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags pdf bug

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Father’s Day Gift Guide

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?