Foxit Reader zero-day vulnerability.

Iconic

Somebody posted this link on another forum and although I have read it a few times I still cannot understand it!
http://www.theregister.co.uk/2013/01/11/foxit_pdf_plugin_vuln/

As 5.4.4.1128 is the latest version can I assume the only safe way to use Foxit it is when you are not connected to the internet?

colin79666

Basically it is perfectly safe to open PDFs you have already downloaded. But having it installed means any web link could infact take over your machine.

Either disable the Foxit plugin so it cannot be launched automatically by the browser or uninstall it altogether and install the latest version of Adobe Reader.

Lum

Adobe Reader is even worse than Foxit for security holes! If you don't need access to the "advanced" features of PDF files, e.g. filling in forms, embedded video, 3d images, javascript and other things that don't belong anywhere near a Portable Document Format then have a look at Sumatra PDF

http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html

It's open source and just does the basic displaying of documents so there are less stupid features for malware authors to exploit.


If you want to stick with Foxit, don't open any PDFs from the internet until they have put a patch out. (and you have installed the patch, obviously!)



For those wondering how this exploit works, it looks like it's a "buffer overrun" vulnerability. In this case when you click on a link to a PDF file on some website, your browser will tell foxit to open a PDF from e.g. http://example.com/document.pdf if the web page makes that web address really really long then it ends up bigger than the amount of space Foxit allows for storing a web address, the extra spills out and ends up overwriting part of the Foxit software. You can use this to inject your own computer program into Foxit reader causing the reader to, say, install malware in the bakground.

poppellerant

I use Foxit, and will continue to do so until Firefox can open PDF files by itself - which might not be that long, according to this link.

Just use common sense, and don't open PDF files from suspicious sites that offer you to open PDF files out of the blue. Also don't follow suspicious links to PDF files from emails, or even anybody. If you expect to open a PDF file, say when viewing a bill online, then by all means do that.

Iconic

Many thanks for the replies.

Zero-day vulnerability, stack overflows and buffer overruns are a bit beyond me but I understand them a little more now!

Lum

zero-day just means that someone has found a new way to hack it and, instead of notifying the Foxit people and allowing them to fix it, they have published how to do it instead. It means that the exploit is "in the wild" "zero days" after being discovered.

Trying to think of a simpler way to explain a buffer overrun... ok pretend you keep your socks on one side of a drawer and your knickers on the other side. One day you put too many knickers in so they spill over onto the sock side... since a computer just does exactly what it is told without thinking, if you do this it will end up going to work one morning with knickers on it's feet.

The solution is to check that you don't put too much of either in, and that check is what the Foxit people missed with this one. It's pretty basic stuff but it pops up far too often in computing.