14 DAY TRIAL // Several serious vulnerabilities affecting the Adobe Reader alternative, developed by Foxit Software, have been recently disclosed. Security professionals now warn that proof-of-concept (PoC) exploit code for one of the more critical ones has also been made available and could be used in future attacks.
On 9 March, Foxit released security updates for its Reader product versions 3.0 and 2.3. As explained in the accompanying advisory, these addressed three serious flaws reported by CORE Security and Secunia, two vulnerability research companies.
One of the bugs reported by CORE was categorized as a stack-based buffer overflow and allowed an attacker to run commands or execute files by tricking a potential victim into opening a maliciously-crafted PDF file. A programmer identifying himself as "SkD" has made available a fully-working exploit for this vulnerability. According to the code comments, he has written the PoC for Windows XP SP3 and it is based on information published by CORE.
This is particularly interesting, because it means that users of the two most popular PDF reading applications for Windows, Adobe Reader and Foxit Reader, are now susceptible to attacks at the same time. As we have previously reported, a similar arbitrary code execution vulnerability in Adobe Reader 9 and earlier has been actively exploited in the wild.
Adobe released a patch for the flaw affecting its Adobe Reader and Acrobat products only recently, on 10 March, almost three days after it was reported as a 0-day. Even so, the patch is only available for version 9 of the products, users of earlier versions being required to upgrade first.
Because the vulnerability made the subject of active attacks and initially suggested workarounds like disabling JavaScript didn't help much, some people recommended switching to Foxit Reader, which now doesn't sound like such a great solution either.
It should be noted that, even though both products are now theoretically safe, this doesn't mean too much from a global security perspective. It has been demonstrated countless times that, in practice, users are very slow when it comes to deploying patches, if they even do it at all.
Dirk Knop, technical editor at anti-virus vendor Avira, notes on the company's TechBlog that "Many people use Foxit in the hope that it doesn’t contain the same vulnerabilities as the 'original' software from Adobe. […] As well as in the Adobe Reader, there are security weaknesses within Foxit." In addition, he advises that "Since there is an update available, make sure to install it immediately!"