Current Foxit Reader can execute malicious code

After Adobe Acrobat Reader, Foxit reader...

 

It is only natural that if a tool is becoming more and more used, it will become a target for the attackers. That doesn't excuse poor programming, though...

 

Exactly! Have a look here for more! It makes me think again that these vendors MS, Adobe etc have no corporate memory for past errors and just keep forging on into not so new experiences

http://www.h-online.com/security/news/item/Microsoft-and-Adobe-close-almost-40-holes-1779941.html


40 holes? Maybe 2 would be acceptable.

Lets move "up" to W8!!!

 

This would not be the first instance that FoxIt has been exploited due to weak code.

 

Exactly! As an App becomes more and more Popular,
associated Safety/Security should be Enhanced; not Reduced!

 

As bad of a rap as Adobe gets, I prefer to stay with the "big names" for these types of programs. Sure, Adobe will get hit more, but it'll also get more attention than a smaller, lesser known vendor will. Usually that means faster patches and, sometimes, a push for stronger protections.

@PJC: You're right, it should, if it's possible. Sometimes though, without a major overhaul or redesign, it just isn't (Firefox would be a good example).

 

Another good reason not to install a reader's plugin. I just download the pdf then open with the program.

 

I use Sumatra PDF (it is neat...without 'Bells & Whistles'...)

For most users, 99% of working with PDF files includes just Reading and Nothing more.

 

AGREE!!!!! 101%

 

That depends on your security setup I think. For instance, I'm using ZeroVulnerability's ExploitShield. If I didn't use a PDF plugin, then I'd be at the mercy of whatever security that plugin/PDF program had. ExploitShield doesn't cover PDF programs themselves, only browsers and their plugins. So, by using that plugin, I've got backup security plus an extra feature from Exploitshield I wouldn't have otherwise. In fact, ExploitShield covers Foxit, so this vulnerability would not likely work if you used Foxit within the browser, but might if you simply opened it up with the program.

 

The simplest way to work around is not to display PDFs in browsers.
Instead, download them to your desired app and open there.

And let's not forget EMET.

Mrk

 

It's a matter of preference, really. It also, as I said earlier, depends on what you have behind the scenes watching over you. As for EMET, it provides little protection that isn't already very able to be bypassed. Using the plugin for my reader is a matter of convenience than anything else. If in Chrome, I don't even worry about it. Any other browser is backed up by Exploitshield, BitDefender and MBAM, all of whom will more than likely detect any shenanigans before the PDF ever opens. Whether we open files in or out of the browser, as long as we avoid the nastiness we're golden

 

Indeed -- almost 4 years ago!

If plug-ins are disabled globally, then if a user encounters a web exploit for a PDF Reader, the browser will force a dialog box asking for a decision. If the user isn't looking for a specific PDF file, she/he would just Cancel the dialog box knowing that something was not right, and the exploit would fail, based on the user's sound policies and procedures:



Users, especially in business, like the plug-in to automatically open the PDF in the browser. But download speeds today are so fast that it's just a few seconds and a couple of clicks to Save, then Open the PDF. I tested downloading a 11MB PDF file, 208 pages. It took less than 10 seconds:



With plugin-ins disabled globally, these exploit kit attacks against these plug-ins that are proliferating all over the internet, are stopped at the gate.


----
rich

 

Again, it's preference. Downloads may be fast, but that's not a good enough reason for some if they don't want to download it real fast, go to their download folder, open the file and wait for their program to load it. You're right that there are safer ways to deal with issues, but for those who don't want to set up and deal with policies and procedures (The word policies alone immediately makes me think "Christ, how long is this going to take and how is it going to affect me?") there are still options.

 

Mman79, I can't disagree with any of what you write above! Many people don't want to be inconvenienced!

Put yourself in the place of this company's security manager, as quoted from an article cited in another thread:

Security Manager's Journal: New ransomware attack hurts trustworthiness of Web
http://www.computerworld.com/s/arti...ck_hurts_trustworthiness_of_Web?taxonomyId=85

Many of the ransomware exploits have been traced to those targeting PDF and Java plug-ins. This is common in analyses of ransomware attacks:

Ransomware Debuts New Java Exploit,
2012-07-10
http://blog.soleranetworks.com/2012...oit-sends-victims-running-for-moneypak-cards/

Should a company security manager insure that plug-ins are disabled on users' workstations to prevent this type of exploitation, knowing that many users will complain for the lack of convenience?

One compromise is that in some browsers, you get this notification (Opera, here) and the plug-in can be enabled for that site where the user needs to view a PDF file:



(I'm curious about the options that you refer to, if you can elaborate)

The security manager continues from the first article:

But there are other ways besides infected web advertisements of redirecting unsuspecting users to booby-trapped web sites. So, he's taken care of "this particular nuisance" but hasn't really addressed the main problem.

So, what are your suggestions?

----
rich

 

Well, in a corporate environment the game changes. Users are just going to have to go by what the, hopefully, competent IT staff think is best. In that environment, things should be locked down tighter. At home, well, in my case I use both Chrome and IE 10 which are a pretty good start in basic security. For both of them, ad blocking is in place to take care of both annoying and possibly malicious ads. After that I have http://www.zerovulnerabilitylabs.com/home/exploitshield/ in place alongside MBAM Pro (website blocking enabled) and BitDefender which is both good at detection and also has an Http scanner in place, which I consider essential these days.

All of this is nowhere near the advanced setups one can see here. But you really don't need advanced and "noisy" setups to protect yourself. There's really not much out there that is scary beyond ransomware and the "Flames" of the world. If that company you cited would have had a decent ad blocker in place, they likely would have never dealt with that issue. Security is made way more complicated of an issue than it really needs to be, in my opinion. You can stay safe without ever touching group policies and denying access to such and such areas, you really can. Some people, like myself, can't use them because of OS restrictions (I don't have Windows 7 Ultimate, only Home Premium), and I wouldn't want to anyway. If I can't trust the tools I use to keep me reasonably safe, after choosing them based on my computing use and requirements and having done research through Wilders and elsewhere, then I might as well not even bother connecting to the Internet. You've got to put faith in something at some point.

 

I use it too, ever since Foxit started to get bloated. It's a great basic PDF reader and has always been rock solid for me.

 

Maybe not the most convenient, but this is the best approach. Mrk explains it better than I did

 

Sumatra PDF is what most users need!

 

I stopped using browser plugins of common PDF readers to open/read PDFs a long time ago.

Nowadays I just install an extension that allows me to open/read PDFs (and others) on Google Docs (or an equivalent trustworthy service) automatically.

For Opera: https://addons.opera.com/en/extensions/details/gpdf/

When I want to open/read them outside the browser, I use Sumatra PDF.

No security issues with this approach in years.

 

BTW, Sumatra released its 2.2.1 version.

 

Updated, thanks.

 

Sumatra is a great PDF reader, but it's security through obscurity which time has proven doesn't work.

 

You are welcome!