Sophos Cloud Optix
When you think of PDF vulnerabilities and exploits, the first word that comes to mind is probably Adobe.
That’s because Adobe’s PDF reader has long been the most prevalent product in the marketplace, and the most heavily targeted by attackers and researchers.
But there are plenty of challengers in the PDF software market, and it’s important to remember that just “being different” is not enough to deliver security on its own.
Also, since Adobe released Reader X, with its security-oriented sandbox, crooks and researchers alike have found Adobe’s PDF nut much harder to crack.
You can therefore expect other vendors of PDF software to start feeling some of the heat that would probably have been aimed entirely at Adobe in years gone by.
Here’s an example: Italian security researcher Andrea Micalizzi has recently sought, and found, a possibly-exploitable vulnerability in the latest Foxit PDF plugin for Firefox.
Micalizzi hasn’t actually produced a proof-of-concept exploit, but I was able to reproduce his result at will.
(I used Firefox 18.0 with Foxit Plugin 2.2.1.530 on Windows XP3.)
The crash, which is a side-effect of a stack overflow, pretty much lets you write to a memory location of your choice. That’s not good.
Foxit openly promotes its PDF reader as a secure platform that “insures worry free operation against malicious virus [sic]”, which may sound like a bold statement in the face of Micalizzi’s bug.
But there is still literal truth in Foxit’s claim: the bug is not in the PDF reader itself, but in the npFoxitReaderPlugin.dll file that acts as the glue between the browser and the reader.
→ The np at the start of the filename stands for “Netscape Plugin”, a plugin architecture that originated in the heady days of Netscape Navigator. Ironically, the first example of such a plugin for Netscape was written at…Adobe Systems.
Intriguingly, you don’t actually need to feed Foxit a PDF to provoke the crash. You just have to feed it a malformed link that, when clicked, serves up an HTTP reply that advertises itself as a PDF.
The buffer overflow happens in the code that processes the link, triggering a crash when the link includes an overly-long query string.
If a link contains a question mark [?], the query is the text that follows it. The query component is usually used to identify parameters submitted to a server-side script. Below, for example, the query part is the string download=true:
http://example.org/docs/file.pdf?download=true
Foxit has yet to comment on this issue on its security advisories, though I am sure it will soon do so.
I’ve seen stories online suggesting that, since there’s no patch yet, you might consider switching to a different PDF reader.
But since the bug isn’t in the reader itself (and there’s no exploit yet, anyway), there’s a quicker and simpler mitigation you can use that will let you stick with Foxit.
Just turn off the Firefox plugin.
Go to Tools|Add-ons at the Firefox menu, choose the Plugins tab and click the Disable button against the Foxit Reader Plugin for Mozilla.
PDF files will no longer open directly inside your browser. You’ll get an intermediate dialog saying:
You have chosen to open: . . .
You will then need to click the OK button.
This loads the file into a separate Foxit reader process, avoiding the buggy code in the plugin DLL.
As Steve Jobs might have said, not that big of a deal.
Hi
Interesting reading. Thanks. As a Foxit user, but not a Firefox one, my question is: is there any issue with Foxit and Chrome, which is my combination?
Thanks again.
The author of the vulnerability report, Andrea Micalizzi, documents it as specific to the Foxit Firefox plugin…
If you’re a Chrome user, this one isn’t for you 😉
Excellent 🙂 Thanks
Can't duplicate in Foxit reader plugin 2.1.1.720 with Firefox 18. Was there more to the issue than adding '?download=true' ?
I found the original POC which appends [redacted].I tried that as well and it didn’t crash on 2.1.1.720 and Firefox 18. However, I did test it with 2.2.1.530 and was able to duplicate on Firefox 18.
2.1.1.720 does not crash.
I decided not to be specific here, and not to link directly to Micalizzi's page.
Call me fussy, but I've left interested parties to search for it themselves.
The vuln page includes a fragment of disassembly from the buggy DLL code and a server-side PHP script to act as documentation for how to reproduce the crash.
You don't need a full-on web server or PHP. Netcat with "-l -p 80" should be more than enough.
I can understand why you chose to do that. I just wanted to see if our current deployment required action or not as it was suggested that previous versions may be affected.
I won't call you fussy. I'll call you a conscious person who cares about people's systems. 🙂
Ben0xA wrote "I won't call you fussy. I'll call you a conscious person who cares about people's systems. 🙂 "
Yes, he is wide awake. He's also conscientious.
I've been using foxit reader for a few years due to the smaller size & huge difference in resourse usage over adobe.
I didn't have the plug-in installed in the first place, but thanks for keeping us as up to date as you do on commonly used software issues.
Anyway, if you're new to foxit reader, be careful when installing it to uncheck the Ask.com toolbar areas (I think there are two to uncheck) unless you actually want it.
And turn off "JavaScript" since most don't need it, as well as make sure "Enable Safe Reading Mode' is on or checked. These settings are found under "Edit"
then "Preferences".
Just a note to Opera users…
The Opera browser uses the same plug-in.
Open Opera, and type:
opera:plug-ins
Scroll to the Foxit plug-in and disable.
Thanks for the update Sophos!
Wow, thank you SO much for the above work around. As a Foxit and Firefox (but not that invasive Adobe) user, I have been needing to open pdf's from Firefox…and actually they sometimes do open via the Plugin, but mostly not and then Foxit asks for feedback and I'm not geek enough to know how to report the problem.
I notice you said it wasn't mentioned in their security bullitens, but it in fact is, and has been since the 8th (3 days before this article was posted)… You actually have to "Click here to check Foxit security bullitens" on that page.