Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability,
Foxit Software patched its PDF viewer last week.
But the Belgium researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said today
that Foxit's fix didn't protect users from his attack tactics.
The April 1 update to Foxit Reader, a popular alternative to Adobe's own Reader, adds a warning that pops up when a PDF tries to launch an executable,
a function that's permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which
already sports such a warning.
"Foxit adds prompts to all pop-ups within PDFs," said Christina Wu of Foxit in an e-mail reply to questions today. "For example,
if there is a .txt or .exe file [that] is going to open within a PDF, the old version of Reader will launch the file by calling
the associated program from your system, without any inquiry. [The update] will detect it and launch a prompt to ask you if
you want to execute it or not."
Didier Stevens, the researcher who last week demonstrated a multi-stage attack using the /Launch function, said that his proof-of-concept
code -- which he has not released to the public -- still works when pitted against the updated Foxit Reader.
"The interesting thing about this fix is that it breaks my Foxit [proof-of-concept, or PoC], but ... the Adobe PoC works for
Foxit now," said Stevens in an entry on his blog today .
Previously, Stevens was forced to come up with a separate workaround to successfully attack Foxit with a malformed PDF.
Stevens' technique doesn't require an underlying vulnerability in either Adobe Reader or Foxit Reader; all attackers need
to do is dupe users into opening a malicious PDF. And last week, Stevens said that although Adobe Reader displays a warning
when an executable inside a PDF file is launched, he had found a way to partially modify Adobe's warning to encourage a potential
victim to allow the launch action.
While that kind of social engineering-based attack is nothing new, until now hackers needed an exploit of an unpatched software
vulnerability to pull off a successful attack delivered via PDFs. In other words, a Windows PC that has a fully-patched, up-to-date
copy of Adobe Reader or Foxit Reader can be exploited via rogue PDFs using Stevens' strategy.
Didier did not reply today to a request seeking further comment about the Foxit update, or whether he was able to change that
program's warning message, as he has been able to do to Adobe's.
Today, Stevens also confirmed that Adobe Reader users can defend their PCs by disabling the /Launch function, a crucial component
of his attack. To do so, users must clear the check from the box marked "Allow opening of non-PDF file attachments with external
applications" in the Trust Manager section of Reader's preferences.
Foxit does not have a similar setting.
Last week, Adobe acknowledged seeing Stevens' no-bug-needed proof-of-concept demonstration, but it did not commit to making
any change in its PDF software, saying only that it was "always listening to and evaluating ways to allow end-users and administrators
to better manage and configure features like this one to mitigate potential associated risks."
