Didier Stevens

Wednesday 28 May 2008

I Still Use Foxit Reader

Filed under: PDF,Vulnerabilities — Didier Stevens @ 8:38

Foxit Reader has been my default PDF reader for more than a year now, as an alternative to the Adobe Acrobat Reader that stalled too often when starting up.

While playing with the PDF file format, I created several PDF files that uncovered potential security issues with Foxit Reader.

A PDF file with an OpenAction triggering an URI action causes Adobe Acrobat to prompt the user for approval, before accessing the URI:

But Foxit Reader opens Internet Explorer and visits the site without confirmation prompt. I submitted a feature request to Foxit Software for this.

Another example is a JavaScript inside a PDF file that switches the reader to full screen mode. Adobe Acrobat Reader will warn you for spoofing attacks and ask for your permission to switch to full screen, while Foxit Reader does this immediately.

Of course, these warnings will only help a user that is aware of the potential risks. But in a corporate environment, you can also set the appropriate registry keys to block all these actions by default.

It was also trivial to assemble some simple malformed PDF files that cause problems for Foxit Reader, but not for Adobe Reader. I submitted these files to Foxit Software.

Adobe Acrobat Reader allows you to disable JavaScript. Until recently, Foxit Reader required a JavaScript plugin for JavaScript support. Omitting the plugin was a simple way to disable JavaScript. But since version 2.2, JavaScript is embedded in the main executable and there is no configuration switch to disable it. Many Foxit Reader users have requested this feature.

If you absolutely want to disable JavaScript in Foxit Reader 2.3, there’s a quick and dirty trick. Search for the ASCII string JavaScript (preceded and terminated by byte 00) in the Foxit Reader executable (you should find only one occurrence), and replace it with javascript, for example. Actually, this patch will not disable the JavaScript interpreter for Foxit Reader, but it will prevent Foxit Reader from recognizing the /JavaScript name in a PDF document, effectively making it to ignore JavaScript instructions (names are case-sensitive).

You can make this patch permanently by editing the Foxit Reader executable with an hex editor, or do it temporarily by patching in memory with my bpmtk utility. The command to achieve this is:

search-and-write module:. hex:004A61766153637269707400 hex:006A

Of course, this is not a serious risk analysis of Foxit Reader. I started to use Foxit Reader as a solution to the Adobe Acrobat Reader performance problems, not for security reasons. And now that I’ve delved into the PDF file format, I did some random tests with Foxit Reader and Adobe Acrobat Reader. This gave me the impression that Adobe has more experience with security risks and vulnerabilities, than Foxit Software, and that this experience is reflected in the design of their products.

I’ll still be using Foxit Reader as my main PDF reader, and I’ll still analyze suspect PDF files in a controlled environment.

8 Comments »

  1. I just learnt that Adobe Acrobat reader 9 is announced along with Acrobat.com. This might be better than Foxit
    I visited Acrobat.com. Contains great features. But i got somewhat confused. But i got detailed information about it later here – Adobe introduces Acrobat 9 & Acrobat.com
    It also contains detailed and fabulous review of Acrobat 9 and Acrobat.com which was a lot helpful.

    Adobe Acrobat 9 – Preview
    Acrobat.com (BETA)

    Comment by Yogesh Amberkar — Monday 2 June 2008 @ 14:26

  2. You say:
    “But in a corporate environment, you can also set the appropriate registry keys to block all these actions by default.”

    Could you please point me towards further information (or a list) of the registry keys that block these actions?

    James_A

    Comment by James_A — Wednesday 4 June 2008 @ 16:30

  3. I think the Adobe Customization Wizard is what you’re looking for: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3564

    Comment by Didier Stevens — Wednesday 4 June 2008 @ 17:03

  4. Ridiculous! Javascript has no business being in a PDF.

    Comment by Ryan Fox — Saturday 7 June 2008 @ 5:46

  5. JavaScript has a business reason in PDF documents, PDF is not only used for static content. Order forms are a popular application of PDF, and often contain JavaScript to calculate the total amount due and sales tax/VAT.

    Comment by Didier Stevens — Saturday 7 June 2008 @ 11:08

  6. Perhaps even more important than PDF’s use in “business” is its use in “academia”. Consider the number of PDF’s produced by academic journals.
    If one is faced with having to read many PDF’s in succession for their informational content (cf. using a PDF as a web form), I have found the programs ‘sumatra pdf’ and ‘pdftohtml’ piped to lynx -dump as safer and faster alternatives to Acrobat Reader, and Foxit Reader, if one wants to read from the computer monitor.

    That said, PDF woes aside, your memory hack alone is impressive in its own right!

    Comment by D.E. Null — Saturday 27 December 2008 @ 2:57

  7. [...] Version 2.2 and 2.3 didn’t change this, that’s what prompted me to publish a hack to disable JavaScript. [...]

    Pingback by A Very Brief History of Foxit Reader and JavaScript « Didier Stevens — Wednesday 6 May 2009 @ 23:45

  8. I use STDU Viewer (http://www.stdutility.com) and very happy.

    Comment by Raptor — Monday 22 June 2009 @ 20:02


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 225 other followers

%d bloggers like this: