Sunday, May 25, 2008

Foxit Fixed: + Lessons in PDF security

Just in case you wanted my humble opinion, Foxit Software's Foxit Reader is probably one of (if not THE best) PDF reader alternative out there.

"Alternative to what?" you ask? 

Why This monster of course.

Only a worrisome bit of news came out this week in the security-vulnerability realm:

Foxit Reader executes injected code - News - heise Security UK

Basically, Foxit Reader could be used with a buffer overflow to execute malicious code on a system via crafted PDF file.

The problem is caused by a boundary error when the program processes PDF files with embedded JavaScript. A buffer overflow can occur in the util.printf() function when the program parses format strings containing a floating-point specifier. This can allow malicious code to be injected and executed.

Problem is present, even without the optional Foxit JavaScript plugin feature for Foxit Reader.

More here via Secunia.

Version 2.3 builds 2825 and possibly earlier are impacted.

So go update to the newest version of Foxit (2.3 build 2923) or use the "updater" inside Foxit Reader if you already have it installed.

New features (awesome as always) include:

New Features

  1. Bookmark Design - Makes it possible to have your own bookmarks. Users can create, edit, or delete bookmarks in a PDF file if the security settings allow.
  2. Multi-tab Browsing - Enables users to open multiple files in a single instance. You can choose to view PDFs in a multi-tab window or multiple instances by setting documents layout from the Preferences dialog.
  3. Multimedia Player Support - Supports many media formats including audio and video. Read multimedia ebooks with Foxit Reader 2.3.
  4. Callout and Text box Tool - Creates comments in a callout text box or a box. You can also define their appearance as other commenting tools.
  5. Commenting Text Tool - Enables users to add most types of text edits by right-clicking on the selected text, including highlight, strikeout, underline, squiggly and replacement. You can also use the Commenting Text Tool to add bookmarks for PDF files.
  6. Rulers and Guides - Provides horizontal and vertical ruler guides to help users align and position objects on the page. Right-clicking on the ruler enables you to change the unit of measurement.
  7. Magnifier - Magnifies areas of the PDF files easily as you work on Foxit Reader.
  8. Automatic Scrolling - Allows users to view documents without using mouse actions or keystrokes.
  9. OCG Support - Enables the user to view related content stored in a variable number of separate layers.
  10. FDF Related - Opens FDF files directly with Foxit Reader without any import implementations.

Enhanced Features

  1. Optimized Rendering - Supports progressive rendering and significantly reduces the response time from the user interface events.
  2. Improved Link Tools - Allows users to add actions to links, such as go to a page view, open or execute a file, open a web link, etc.
  3. Improved Snapshot - Enables users to print the selected area in Foxit Reader by simply selecting the Print option from the context menu.
  4. Search Enhancement - Allows users to float, move and resize the Full Foxit Search box.
  5. Better Annotation control - Groups drawing markups to help users operate objects collectively, and allows users to move annotations through pages.
  6. Font Information - Lists the fonts and the font types used in the original document in the Properties dialog.
  7. Updated Command Line - Allows users to open password protected PDF documents with a simple command prompt.
  8. Streamlined UI - A completely redesigned UI with a new look and feel makes Foxit Reader more intuitive than ever before.
  9. Many Bug Fixes, including V2.3 Build 2825 security issues .

Diving into PDF Depths with Didier

Didier Stevens has been posting some really fascinating looks into the world of PDF formatting.

Great stuff, especially from a security standpoint.

Quickpost: About the Physical and Logical Structure of PDF Files - All you wanted to know about PDF formats and then some.

Quickpost: eicar.pdf - In which he embeds an EICAR test file into a PDF for your puzzling fun.

PDF Stream Objects - In which we find out how a zip-bomb might be set up.

Solving a Little PDF Puzzle - Solution for A Little PDF Puzzle which challenges us to find the passphrase of the PDF file and we see more about "incremental Updates" to a PDF.

PDF, Let Me Count the Ways… - How PDF language can generate variants of malicious PDF docs.

He also has cross linked to this excellent writeup by akudaniy: Let’s modify your acrobat files! « The Playground to show how to generate a PDF file from a web-page (as well as modify existing PDF files).

PDF Related

See these related Grand Stream Dream post:

Free PDF Readers (and then some)

Vista Tip: Install a PDF Printer Driver for Free

Firefox and fixing PDF madness, + Bonus Firefox Links



1 comment:

Didier Stevens said...

I also use Foxit Reader: