The Zero Day Initiative is taking the makers of the Foxit free PDF reader to task for failing to fix two zero-day vulnerabilities that would allow a remote attacker to execute arbitrary code on vulnerable installations of Foxit Reader.
ZDI disagreed with this analysis. The researcher who found CVE-2017-10951, Ariele Caltabianio, said the reader does not check whether the input data is a URL, which should be the only thing accepted, but instead will accept full paths. The reader also does not filter any file extensions allowing an outsider to execute commands. A similar issue had previously been found in Adobe Reader.
However, Foxit told SC Media that it is moving to fix the issue.
"We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. In the meantime, users can help protect themselves by using the Safe Reading Mode. We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again," a spokesperson said.