Facebook Plunges Again
Tumblr 101: Tips And Tricks To Get Started
Using FoxIt because you think it's safer than Adobe Reader? Think again.
Foxit, it turns out, has a rather major flaw right now. An attacker can piggyback and launch an executable within a PDF which Foxit will then run without any requesting confirmation from the user. Adobe Reader, on the other hand, throws up an alert window to ask whether the file should be allowed to run. "In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action," says Stevens.
My desktop PDF viewer of choice -- Sumatra -- isn't affected by the exploit, nor is PDF-XChange and you can always play it safe by using the Google Docs web viewer.
And no, Stevens' exploit doesn't work on Linux or Mac. One crucial detail several commenters on his post seem to have missed is that he's calling cmd.exe, a file which you're not usually going to find on a non-Windows box...
[via Sunbelt]
Comments
13
Subscribe to commentsmaster811Mar 31st 2010 12:29PM
Nope, I use Foxit because it's a damn slight faster than Adobe Reader.
corfmanjMar 31st 2010 1:16PM
One thing you didn't point out is there is a difference between "safer than" and "safe". One security hole in FoxIT Reader doesn't automatically mean it is less safe than Adobe Reader. Even with this security hole, if I were choosing purely on a security standpoint, I would still pick FoxIt Reader over Adobe Reader because generally speaking, I think it is still safer.
I don't use FoxIt Reader anymore (like you, I switched to Sumatra, at least on Windows), but like master811, the main reason I did use FoxIt over Adobe was speed, not security.
SimonMar 31st 2010 1:45PM
So what's preventing the attacker from replacing the call to cmd.exe to, say, /bin/sh? I didn't see anything about this attack that makes it necessarily limited to Windows.
MxxConApr 1st 2010 2:02AM
it's not. in the comments on that page people say how you can create a single pdf that will execute different things based on OS(win,linux,osx).
delphinus87Mar 31st 2010 2:03PM
Preview.app
'nuff said.
cuttheredwireMar 31st 2010 8:56PM
I have PDF-XChange sitting on my hard drive because it was so highly rated at LifeHacker.com:
http://lifehacker.com/5329922/best-pdf-reader-pdf+xchange
Now is a good time to try it out, me thinks.
Praveen PremchandranMar 31st 2010 10:36PM
Hmm.. I think you need to look at that link again...
PDF XChange got top marks by user vote, and not "rated" by lifehacker!
TravMar 31st 2010 11:23PM
Switched to PDF XChange after having used Foxit for a while. Was pleasantly surprised, PDF XChange has more features than Foxit and runs smoother overall. The browser integration is superb compared to Foxit's as well.
A9F4Apr 1st 2010 4:02PM
In your first paragraph, fix the spelling of "sining" please.
"If you've been sining its praises for security reasons"
5518443720Apr 1st 2010 7:21PM
I use Foxit because it is a superior product in general, never tought about security.
A9F4Apr 1st 2010 7:43PM
"And no, Stevens' exploit doesn't work on Linux or Mac."
Not specifically the one he posted, but yes, it does. If the user is running Adobe Acrobat and the PDF is set to /Launch anything that actually exists on an OS X system, then it will be launched.
Try it with this PDF and see how you make out: (works on Windows/Linux/Mac)
http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf
For me, it opened in Preview.app with no ill effects, as Preview doesn't support PDF /Launch.
Most people who run Acrobat are just going to click OK regardless to get rid of the pop-up warning without reading its contents, so it isn't all that much of a help.
You're really doing your readers a disservice by making it seem like FoxIt is the problem. The problem is PDF capabilities being extended time and time again, simply so Adobe can keep selling new versions by having new features to tout.
2late2dieApr 1st 2010 8:59PM
"think again says security pro Didier Stevens."
I first read this as "pro Didler...", I'm not proud of this but I got a chuckle out of it :D
AnthonyApr 4th 2010 2:03AM
The flaw has been fixed already. The fix was posted early in the morning on the 1st.