![]() ![]() More information can be found in Foxit’s security bulletin.įound this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post. ![]() “We plan to release a Reader/PhantomPDF 8.3.2 patch update this week (ETA Aug 25th) with additional guard against misuse of powerful (potentially insecure) JavaScript functions - this will make Foxit software equivalent to what Adobe does.” Update: Foxit has released a security advisory, and confirmed that it will be issuing a security update to users: Don’t download ANYTHING before you make sure the product has a good security record and will satisfy your needs. Just make sure you do your own research if you decide to go with one of these options. I guess it’s back to the drawing board for users who aren’t running Foxit in Safe Reading mode.įor some other non-Adobe PDF readers, check out TechRadar’s list. ![]() What a welcome gesture that would have been to Foxit Reader users, especially those who embraced the software while fleeing past Adobe vulnerabilities. That’s all very well, but many of us are all too familiar with attacks which have seen innocent users duped into disabling safety features in order to allow poisonous payloads to execute.įoxit could have used the patches to demonstrate that it takes its products’ security seriously and on a timely change. “Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions.” Earlier this month, Foxit Reader adopted a warning message before running any executable command embedded in a PDF. This is a follow-up security improvement to the Foxit Reader release on April 2nd, 2010. In its continued efforts of providing safer, faster and more stable PDF software tools, Foxit addresses recent security concerns by releasing a new version of its popular Foxit Reader. The vendor said as much in a statement provided to AusCERT: The new Foxit Reader further enhances PDF document viewing security by implementing a Safe Mode feature. But they ultimately decided to disclose the flaws early after Foxit revealed it had no intention of fixing the bugs. ZDI’s Ariele Caltabiano discovered the first flaw back in mid-May 2017, while Steven Seeley of Offensive Security found the second bug near the end of June.īoth researchers contacted Foxit about the issues shortly thereafter with the intention of following a 120-day responsible disclosure timeline. When properly exploited, either of the flaws enables a remote attacker to execute arbitrary code. Foxit PDF Reader’s second bug ( CVE-2017-10952) also results from improper validation of user-supplied data, but it instead affects the saveAs JavaScript function. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |