Foxit backtracks after declining to fix zero-days exposed by ZDI

What’s the best way to make a company patch security flaws in its software?

Ordinarily, it should be to tell that company about them. Lots of researchers do this all the time in return for a bug bounty or, perhaps, a namecheck in the release notes.

Sometimes, however, the company doing the “telling” is a larger company that makes its money out of collecting and reselling vulnerability intelligence, in which case things can occasionally end up being more complicated – and contentious.

This was the scenario when, earlier this year, Zero Day Initiative (ZDI) told Foxit about two zero-day (i.e. undisclosed and unpatched) security vulnerabilities in its PDF Reader and PhantomPDF software, reportedly installed more than 400m times between them.

The flaws – now designated CVE-2017-10951 and CVE-2017-10952 – are JavaScript command injection and file write vulnerabilities, and are serious enough to allow an attacker to take over a target PC, typically considered a high priority for a fix.

But Foxit did not offer fixes for the flaws and it was on that basis that ZDI last week made them public according to the company’s stringent 120-day disclosure policy.

Declining to fix the issues, Foxit said it preferred to rely on the software’s “Safe Reading” mode for protection. This is:

Enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions.

Because it’s set by default in the style of Adobe’s sandboxed Protected Mode, this point is accurate, but assumes the user doesn’t disengage it. Normally this would only happen when a user receives a PDF from a known contact, but that can still be a dangerously subjective judgment.

A few days on from ZDI going public and Foxit’s position has suddenly changed:

We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements.

The company had “miscommunicated” during its initial response and planned changes to avoid such a thing happening again, it reportedly told ZDI.

Given that Foxit it has been busily patching its software this year, we can probably take this statement at face value although embarrassment seems to have been a factor. Meanwhile, the rise of bug bounty programmes has made life harder for companies lacking such a thing.

When professional researchers discover flaws, they are more likely report them to companies that will pay them, be those third parties or the affected vendor. The catch is that bug bounties are competitive and so smaller companies are always at a disadvantage when a larger outfit is interested.

It could be worse. Earlier this year, security researcher Tavis Ormandy shone the spotlight on password manger LastPass, which found itself fixing a succession of flaws to meet Google Project Zero’s disclosure deadline in the full glare of public attention.

Foxit users should nevertheless be on their guard over these flaws. The lack of patches is represents a significant risk and it might be an idea either to mandate Safe Reading mode or move to another reader until they are forthcoming.