back to article Foxit PDF Reader is well and truly foxed up, but vendor won't patch

The Zero Day Initiative (ZDI) has gone public with a Foxit PDF Reader vulnerability without a fix, because the vendor resisted patching. The ZDI made the decision last week that the two vulns, CVE-2017-10951 and CVE-2017-10952, warranted release so at least some of Foxit's 400 million users could protect themselves. In both …

  1. Anonymous Coward
    Anonymous Coward

    Foxit on the run

    Sweet!

    1. bombastic bob Silver badge
      Devil

      Re: Foxit on the run

      "Sweet!"

      you get a magic cookie for that one! And a 'Wink'.

      on a related note, I used to be a fan of evince until it STARTED! LOOKING! 2D FLATSO! and the gnome devs arrogantly told me to pack sand when I complained about it.

      So *NOW* I'm a fan of the Mate fork, 'Atril'. Aside from a minor bug, it's pretty good.

      Who needs 'Foxit' when you have SO MANY other PDF readers. FREE ones, without spyware, ads, or other irritations like NAGGING! YOU! TO! LOG! IN! like stupid Adobe crap-reader does now.

      and WITHOUT! ".NOT"! IN! THEM! I might add...

      1. Anonymous Coward
        Anonymous Coward

        Re: Foxit on the run

        " until it STARTED! LOOKING! 2D FLATSO"

        They are just copying the cool Windows 10 look. Learn to live with it along with the other 500 million users of W10...

      2. GBE

        Re: Foxit on the run

        I gave up on evince a year or two back because of various UI issues and the whole screw-you-if-you're-not-running-Gnome attitude. I've been using atril as my default PDF viewer ever since and the only think it's missing is the 'print current view' feature that acroread had. Fortunately, I found PDFStudio and can use that when I need to print a portion of a page.

        1. Ramazan

          Re: the whole screw-you-if-you're-not-running-Gnome attitude.

          mupdf is quite small and depends on neither gnome nor systemd. It's the recommended pdf reader on Gentoo since xpdf's demise.

          https://security.gentoo.org/glsa/201402-17

  2. lglethal Silver badge
    Go

    Suggestions for replacement?

    I've been using Foxit for a while now, and well frankly it is shit. But working out what Reader to change to just hasnt made the top of my to do list until now. So anyone have suggestions for whats the best pdf Reader out there?

    1. bombastic bob Silver badge

      Re: Suggestions for replacement?

      mentioned 'atril' already. It's the 'Mate' fork of evince, which means it won't have gnome 3 developer arrogance built in.

      atril.com I think...

    2. Anonymous Coward
      Anonymous Coward

      Re: Suggestions for replacement?

      SumatraPDF - use it for years

      1. Pascal Monett Silver badge

        Yes, SumatraPDF

        I second that. Still using it. It is sleek, light and efficient. Doesn't get in the way, doesn't nag.

        I hope it stays that way.

      2. VinceH

        Re: Suggestions for replacement?

        "SumatraPDF - use it for years"

        Seconded Thirded* - I've also been using it for a good few years.

        I do occasionally receive PDFs from one source that it can't open, but whenever I get one of those I import it into Xara Photo & Graphic Designer (or whatever they've chosen to call it this month).

        * I read Pascal Monett's comment after first posting this one.

        1. Paratrooping Parrot
          Thumb Up

          Re: Suggestions for replacement?

          I used to use Foxit until I noticed that the install file size was humongous. I moved to Sumatra after advice from the peeps here. I have to say that I haven't looked back. So, thank you all. :)

          1. h4rm0ny

            Re: Suggestions for replacement?

            Just trying SumatraPDF now (was a Foxit user). It needs a way to collapse all bookmarks at once (I work with very large PDFs) but seems otherwise quick and clean. Hideous Eighties website, though!

        2. paulf
          Thumb Up

          Re: Suggestions for replacement?

          "SumatraPDF" Thanks for all the suggestions on this. I've been looking for a decent replacement for the PoS that is Adobe reader. Since installing SumatraPDF yesterday it's been working well.

      3. src

        Re: Suggestions for replacement?

        Sumatra cannot display the fonts correctly in the statements I get from my Japanese bank.

        I am using the PDF reader in WPS (Kingsoft) Office instead.

      4. H in The Hague

        Re: Suggestions for replacement?

        Thanks for the tip! Very happy with Sumatra.

        Incidentally, if you happen to use Abby OCR software their ABBYY FineReader 14 program is also a useful PDF reader and editor. Its search function is particularly convenient as it displays all hits (unlike Acrobat and Sumatra). (Not to be confused with the accompanying ABBYY FineReader 14 OCR Editor, which is for tricky OCR jobs only.)

    3. Your alien overlord - fear me
      Facepalm

      Re: Suggestions for replacement?

      Windows 10/Edge browser? Only joking, it's a Monday morning :-)

      1. arctic_haze

        Re: Suggestions for replacement?

        We're talking about Foxit (the PDF viewer), not Firefox.

        1. Solarflare

          Re: Suggestions for replacement?

          @ arctic_haze

          We know, Edge works as a PDF viewer. Keep up old chap!

          1. TheVogon

            Re: Suggestions for replacement?

            "We know, Edge works as a PDF viewer. Keep up old chap!"

            I second that as an option. It's fast and works correctly including printing complex documents.

      2. oxfordmale78

        Re: Suggestions for replacement?

        You mean the Windows 10 Chrome downloader ?

    4. TheVogon

      Re: Suggestions for replacement?

      "I've been using Foxit for a while now, and well frankly it is shit. "

      So way better than Adobe's PDF Reader then,,,,

      1. Geoffrey W

        Re: Suggestions for replacement?

        RE: "So way better than Adobe's PDF Reader then"

        I must have tried millions of PDF viewers on Android, some multiple times after they were updated, and Adobes Android PDF viewer is the only one I can live with and that does Exactly what I want. Wouldn't touch it on Windows.

    5. Ramazan

      Re: suggestions for whats the best pdf Reader

      xpdf got kicked out of gentoo due to multiple vulnerabilities. mupdf is generally recommended as a replacement.

      https://security.gentoo.org/glsa/201402-17

  3. Digitall

    Alternatives/ Replacement

    Used Foxit pdf reader within the previous decade for a bit which inevitably turned into bloatware and was dropped much like Adobe Reader years prior to that.

    @ Iglethal: Not necessarily the best pdf reader but, PDF-XChange Viewer works well.

    https://www.tracker-software.com/product/pdf-xchange-viewer

    1. jrd

      Re: Alternatives/ Replacement

      FWIW, I have used PDF-XChange Viewer for over a a year without problems. Seems at least "good enough" for casual use.

      1. Anonymous Coward
        Anonymous Coward

        Re: Alternatives/ Replacement

        Having grown weary of the bloated monster that Acrobat has become, I decided to install an alternative on a new PC.

        Yesterday I installed Foxit. Today I shall be uninstalling it. *sigh*

        I'll give Sumatra a go, once I turn down the brightness on my monitor. I hope the app is friendlier on the eye than their website.

        1. EddieD

          Re: Alternatives/ Replacement

          Install it using the Ninite installer, and you don't need to go to their rather eye-catching website...

          1. herman Silver badge

            Re: Alternatives/ Replacement

            I was expecting tables and blink tags when I first went to the Sumatra web site.

        2. Anonymous IV

          Re: Alternatives/ Replacement

          > I'll give Sumatra a go, once I turn down the brightness on my monitor. I hope the app is friendlier on the eye than their website.

          If you want to change the lurid yellow background to a friendly pale blue, add the -bg-color parameter after the executable in your icon Properties, such as:

          "C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe" -bg-color 0xF0F8FF

          "Your 0xRRGGBB value may vary."

      2. Anonymous Coward
        Anonymous Coward

        Re: Alternatives/ Replacement: Tracker Software PDF-Xchange viewer

        As others have recommended.

        It's served my needs for many years now, with no problems here, costs me nothing either. Don't understand why it is rarely mentioned.

        Even includes OCR which meets my needs too.

        Let's get Foxit on the run:

        https://www.youtube.com/watch?v=kRv7EjjwYBI

        Have a look. What could possibly go wro

    2. LesB

      Re: Alternatives/ Replacement

      And the PDF-XChange Editor is sound alternative to Acrobat Pro (doesn't *quite* do everything, but enough for many users), with volume licence pricing that's quite friendly....

    3. Alan Brown Silver badge

      Re: Alternatives/ Replacement

      "Used Foxit pdf reader within the previous decade for a bit which inevitably turned into bloatware"

      Unfortunately this seems to be the fate of all popular PDF readers, even the opensauce ones.

      xpdf still works though.

      1. Ramazan

        Re: xpdf still works though

        gentoo was tired of repeated xpdf's CVEs and dumped it. mupdf is recommended in its place.

        https://security.gentoo.org/glsa/201402-17

  4. Bloodbeastterror

    Uninstalled immediately

    <end of message>

    1. theModge

      Re: Uninstalled immediately

      I'd been holding off doing this because of the bloat, since some of the extra functions are actually quite handy but....this has pushed me over the edge. I've had SumatraPDF installed for ages, so it only needed me to uninstall Foxit and set Sumatra as the default.

  5. Adam 1

    dropped it a few years back

    As soon as they started bundling spyware in their installer.

    1. King Jack

      Re: dropped it a few years back

      That seems to be a growing trend with all software. Can't wait for this 'trend' to reverse.

    2. Anonymous Coward
      Anonymous Coward

      Re: dropped it a few years back

      "As soon as they started bundling spyware in their installer."

      It installed Google Chrome ?

      1. Adam 1

        Re: dropped it a few years back

        Worse. I actually enjoyed your joke, but I think there is a fundamental difference between adware, creepy tracky browsers and something that silently scans your PC to see what is installed, changes your homepage/desktop/toolbars as it sees fit. In one case it is the price* they are asking to use the software. In the other, they are not upfront.

        *Whether that price represents good value is left as a judgement call on the reader.

        1. Anonymous Coward
          Anonymous Coward

          Re: dropped it a few years back

          "I actually enjoyed your joke"

          It wasn't a joke! Adobe DO bundle Chrome with their downloads.

  6. thomas k

    Rolled back to previous version

    Been using Foxit for years but grew increasingly disenchanted with all the bloated on-line stuff they've added. Finally tracked down a 6.0 version that I'm pretty pleased with.

    1. AMBxx Silver badge

      Re: Rolled back to previous version

      I paid for version 6 to use as a pdf editor. Much cheaper than Adobe. Looks like I won't be buying the upgrade!

    2. Alumoi Silver badge

      Re: Rolled back to previous version

      Version 5.0.2.0718 works like a treat for me. No bload, no nonsense, just a PDF viewer.

  7. nickx89

    May be.

    May be they should reach their far related cousin Firefox xD

  8. sitta_europea Silver badge

    And you're going to download it from CNET...?

  9. brotherelf

    Only, they're patching after all, and have been saying so since about Saturday…

    "Foxit Software is deeply committed to delivering secure PDF products to its customers. Our track record is strong in responding quickly in fixing vulnerabilities. We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. In the meantime, users can help protect themselves by using the Safe Reading Mode. We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again."

    1. Doctor Syntax Silver badge

      "We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again."

      Translation: We didn't realise you'd go public.

    2. Robert Carnegie Silver badge

      "We apologize for our initial miscommunication when contacted about these vulnerabilities"

      ...four months ago.

      Having said that - making JavaScript be safe is hard, probably.

  10. Stevie

    Bah!

    So Foxit is finally a proper replacement forAcrobat?

    About time.

  11. Androgynous Cow Herd

    PDF reader?

    If I just need a reader, my OS supports .pdf format natively. Creates them as well.

    Seems silly to have to install a program for basic .pdf functionality.

    1. Anonymous Coward
      Anonymous Coward

      Re: PDF reader?

      "If I just need a reader, my OS supports .pdf format natively. Creates them as well."

      I use Windows 10 + Office too.

  12. Alistair
    Windows

    "___________ is deeply committed to delivering secure PDF products advertisments to its customers users. Our track record is strong in responding quickly in fixing vulnerabilities protecting our revenue. We are currently working to rapidly address the two vulnerabilities"

    Oh -- look -- an honest template!

    At one point installed FoxIt on my phone. I *never* got to using it and have since found other tools. The list of "Permissions" was stupid. Effectively it wanted to own my phone. I said no.

  13. Anonymous Coward
    Anonymous Coward

    Shame Foxit has gone towards the Dark side !!!

    I have used Foxit for many years, and it was good ..... until all the on-line PDF features started to appear.

    I understand why, as the additional functionality could be useful BUT it also is a handy 'backdoor' method to monitor usage of 'Cracked/Hacked/ripped-off' versions etc.

    [Once on-line lots of 'information' can be checked and passed back to the mothership !!!]

    It does not help you if you don't want to be on-line simply to read a .pdf.

    As advised use an older 'Legal' version which is more than functional and stop any automatic updates.

    I am doing this for now but will also look at alternatives that are smaller/sleeker and fully supported !!!

  14. Richard Parkin

    Why do you need a PDF reader?

    Why do you need a PDF reader when the OS deals with them via Preview?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why do you need a PDF reader?

      Whaaa? I see you tried Foxit's Unsafe mode.

      P.S. those bitcoins aren't yours.

  15. hellwig

    JavaScript in a PDF?

    I really don't understand why everything has to get so fancy. What happened to good old postscript? Why does a distributed document need JavaScript? Seems like someone wanted to turn PDF into something it's not.

    A: "What if we made it like a webpage?"

    B: "Made what like a webpage? This electronic copy of a static document?"

    A: "Yeah, you could use the PDF to retrieve dynamic content from the internet."

    B: "You mean like a webpage displayed in a web browser?"

    A: "Yeah, but it's a PDF! And we can even make web browsers our default PDF readers!"

    B: "So you want your web browser to display a document that can retrieve data from the internet, but instead of HTML, you want it to be a PDF? Brilliant!"

  16. Harry Stottle

    Sumatra Seconded (again) and Thanks for the Libre Office (Draw) tip

    Sumatra easily lightest weight stable pdf reader.

    Was using Foxit as well for my occasional pdf editing needs. Then spotted reference (above) to Libre Office Draw being able to do the job. Tested it and it works. Bit clunky (go into edit mode/ saves to an odg file / leaves it it read only mode/ enable editing / edit / save / export as pdf) but more than happy to put up with that in order to liberate myself from foxit...

    Would have attached this as thankyou reply to who-ever it was who posted that Libre Office tip but damned if I can find the comment now!

  17. davcefai

    Okular

    Can't beat Okular under KDE on Debian.

    1. Ramazan

      Re: Okular

      is it a standalone viewer or does it depend on KDE/libs?

      P.S. me uses mupdf on Gentoo...

  18. Florida1920

    Outfoxed

    Yikes. I have the latest version available of Foxit for Windows. Looked at their site to see how to make sure it was in Safe Mode. Couldn't find a "Tools" tab/button. Clicked on "About" and some scrolling pop-up appeared, and kept going and going. Wouldn't go away, and then Foxit wouldn't close normally. Had to use Task Manager. Tried downloading User Manual, download crawled to a halt. While still waiting for manual to download, downloaded and installed SumatraPDF. Works, looks okay. Now my default for PDF.

    Question: Has anyone audited SumatraPDF for vulnerabilities? Foxit, being popular, is an obvious target, but that doesn't mean the other options are immune to attack.

  19. herman Silver badge

    W0t? All these years of feature creep and Foxit still cannot send email?

    1. Ramazan

      re: All these years of feature creep and Foxit still cannot send email?

      When systemd incorporates PDF reader features, Foxit days are numbered. Systemd is light years ahead of anything in terms of bloat speed.

      1. TheVogon

        Re: re: All these years of feature creep and Foxit still cannot send email?

        "When systemd incorporates PDF reader features, Foxit days are numbered"

        Surely you mean then "Systemd days are numbered" ?

        wft has PDF reader functionality got to do with a system init solution?!

  20. Anonymous Coward
    Anonymous Coward

    Why use a standalone PDF reader?

    Most modern browsers are competent enough to display PDF files properly.

    And if you want to edit, create or compile your own PDF files, you need the full version of Adobe Acrobat. You might be able to do it online, but results are usually less than satisfactory.

    Back in the days of Acrobat Reader version 6 to 10, alternative standalone PDF readers were appealing because the official Acrobat Reader was extremely bloated. You would have to tweak here and there, disable plugins and processes on a fresh installation before it could be less annoying.

    So, why use a standalone PDF reader in 2017?

    1. Androgynous Cupboard Silver badge

      Re: Why use a standalone PDF reader?

      The in-browser PDF support is usually pretty incomplete, and while it will work for the majority of PDFs you're going to get plenty of edge cases where it doesn't and you ned a proper viewer. Theres's a reason for this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon