There are two remote code execution Zero Days affecting the PDF tool Foxit Reader.
One vulnerability is a command injection flaw that exists within the app.launchURL method, and arises because the method accepts more than just URLs as arguments. It does not filter file extensions, so an attacker can make it launch executables. It was discovered by researcher, Ariele Caltabiano who passed it along to Trend Micro’s Zero Day Initiative (ZDI), which released the details.
“SaveAs does not properly check the path it is given to write to,” said ZDI security researcher Abdul-Aziz Hariri in a blog post.
It also does not check the file extension.
Steven Seeley, the researcher who found the issue, “exploited this vulnerability by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary vbscript code on startup.”
The two Zero Days require user interaction to be exploited, where the target must visit a malicious page or open a malicious file.
The vulnerabilities can only end up exploited if the user disables the application’s Safe Reading Mode.
Foxit Software released a statement on the issues:
“Foxit Software is deeply committed to delivering secure PDF products to its customers. Our track record is strong in responding quickly in fixing vulnerabilities. We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. In the meantime, users can help protect themselves by using the Safe Reading Mode. We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again.”