Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Foxit PDF Reader is Being Exploited in the Wild—So Now Where Do We Go?

Created: 23 Mar 2009 22:48:01 GMT • Updated: 23 Jan 2014 18:36:39 GMT
Sean Hittel's picture
0 0 Votes
Login to vote

Last year when Adobe Acrobat was being exploited in the wild, some were calling for people to switch their PDF reader software as a defense against the exploits targeting Acrobat Reader. While application diversity can enhance an individual's ability to withstand broadcast attacks, it is important to consider that any alternative software still needs to be maintained, and consideration needs to be given as to how security systems handle this software. If a replacement application is not handled well by perimeter systems, has security been improved by the replacement?

Today's Web attack toolkit operators are often content with only a small percentage of success with their attacks. This often means that they are deploying any and every functional exploit they can get their hands on without regard for how successful it may be. Thinking that one can simply move to software that is not currently being exploited is not a good long term solution. In the long term, moving to alternative software can actually increase your vulnerability if additional software is simply installed and forgotten about.

On March 20, our honeypots began detecting exploits for the Foxit PDF reader. Although it is not clear if this specific attacker intentionally wanted to target users of the Foxit Reader who had installed and not updated their software, or if the exploit was simply added to the attack toolkit when it became public, users should nonetheless review their installations to ensure that they are not vulnerable to this attack. Foxit has fixed all known security vulnerabilities, and you can review their security bulletins here.

The updated attack serves a variety of exploits, along with the exploit for the Foxit PDF Reader (described in BID 34035). These attacks are detected by the following existing IPS signatures in Enterprise (SEP/SCS), and Consumer (NAV/NIS/N360) products:

HTTP Malicious Toolkit Variant Activity
HTTP Acrobat PDF Suspicious File Download

Since the vulnerability being exploited has already been patched, only those users who have not updated their software will have problems with this attack.

Message Edited by Trevor Mack on 03-31-2009 06:00 AM