Security researchers have discovered two critical zero-day security vulnerabilities in Foxit PDF Reader that could allow attackers to execute arbitrary code on a targeted computer, if the Safe Reading Mode is not enabled.
The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano, while the second bug (CVE-2017-10952) is a file write issue found by Security researcher Steven Seeley.
An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and leveraging them to open it.
Foxit refused to patch these vulnerabilities as they would not work with the “safe reading mode” feature that fortunately comes enabled by default in Foxit Reader however researchers believe building a mitigation doesn’t patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future.
CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below.