Security researchers have discovered two critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer, if not configured to open files in the Safe Reading Mode.
The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano working with Trend Micro’s Zero Day Initiative (ZDI), while the second bug (CVE-2017-10952) is a file write issue found by Offensive Security researcher Steven Seeley.
Foxit refused to patch both the vulnerabilities because they would not work with the “safe reading mode” feature that fortunately comes enabled by default in Foxit Reader.
However, researchers believe building a mitigation doesn’t patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future.
CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below.
“Steven exploited this vulnerability by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary VBScript code on startup,” reads the advisory published by the ZDI.
So, always beware of phishing emails, spams, and clicking the malicious attachment.