Notifying Foxit of Security Issues

Foxit takes security very seriously and aims to provide the industry’s most secure solutions to keep customer data and system safe. Security comes in many forms:

Security is one of the many reasons why individuals, enterprises, and OEMs look to Foxit solutions for their PDF needs.

Document Security

PhantomPDF allows document authors to create PDF documents and apply various security measures, including encryption, access control, digital signatures, and redaction (the permanent removal of content). The ease of use and power of these features provided by PhantomPDF allows both individual users and organizations to effectively keep their information private and confidential.

Encryption

Security standards supported by PhantomPDF include:

  • 256-bit Advanced Encryption Standard (AES)
  • 128-bit ARC-FOUR Encryption Standard (ARC4)

Access Control

PhantomPDF users can easily share documents by applying passwords to documents to prevent unauthorized viewing. In addition, they can specify access control on documents to effectively prevent changes to the documents, restrict printing, or altering documents.

Digital Signatures

With PhantomPDF, users are able to digitally sign documents easily, using the broadest set of digital certificates. This is made possible by the tight integration with the underlying operating system, enabling any certificates recognized by the operating system to be utilized by PhantomPDF. Once properly signed, the digital signature is uniquely lined to and capable of identifying the signer. The signer’s certificate is cryptographically bound to the document during the signing step using the private key uniquely held by that signer. These digital signatures conform to the open PDF standard, and is validated by PhantomPDF, along with the authenticity of the documents they signed, through a cryptographic protocol information exchange with the certificate authorities.

Redaction

The set of redaction tools in PhantomPDF help users protect their sensitive or confidential information. With the redaction tools, users are able to permanently remove textual and graphical information from the documents. Once redacted, there is no residual information left in the document that can be recovered in any way.

Application Security

In addition to document security, we at Foxit recognize that the software itself can be a target of attacks, so we take our application security very seriously. As such, we have long adopted measures and processed that are leading industry best practices to ensure our application security, and have also introduced features and capabilities in the software itself so that users can further protect themselves in specialized situations.

Security Best Practices

All of Foxit’s PDF solutions are developed under the supervision of an internal process that incorporate various industry best practices. These software engineering practices cover design, development, testing, and verification. We further simulate known attack vectors in automated environments, ensure security vulnerabilities are discovered and remediated immediately in the internal development process. In addition, we have a dedicated team of experienced security experts, whose have been assigned the exclusive responsibility of monitoring, troubleshooting, and verifying the execution of the entire process.

Permissioned Execution of JavaScript

The PDF standard allows JavaScript code fragments to be embedded into PDF files. These code fragments are dynamic in nature, and can be executed when PDF documents are viewed by users. Such execution can have adverse effects to the user, and can be considered security concerns at organizations with high-level of security standards. To ensure the complete security in such situations, PhantomPDF and Foxit Reader allow JavaScript execution to be disabled for individual users, or for the entire organization using the PhantomPDF and Foxit Reader enterprise deployment tool set.

Cross-domain Attack Prevention

Foxit recognizes the inherent risks associated with cross-domain resource access, a provision in the PDF standard itself, but at time used be attackers to fetch malicious code fragments or other resources into a user’s system. As such, both PhantomPDF and Foxit Reader have disabled such access by default, and caution users not to enable such an option except in an environment where security can be completely assured by other means.

Security Alerts

For certain rich PDF files that need to perform advanced operations in the user’s environment, PhantomPDF or Foxit Reader may determine that some of these operations carry higher risk, and would alert the user and seek a confirmation before proceeding with such operations. Examples include:

  • Invoking cross-domain access
  • Executing certain types of JavaScript methods
  • Injecting data
  • Injecting scripts
  • Play embedded legacy multimedia.

These alerts are implemented to be as non-intrusive to the user as possible, allowing the user to trust the document and therefore skip all further confirmations.

Foxit has very close working relationship with cybersecurity research groups and individuals to actively discover and patch vulnerabilities found in Foxit products.  (For example, Zero Day Initiative (Trend Micro), Cisco Talos, and professionals such as mr_me). Foxit technology is used by technology giants such Google, Microsoft and Amazon.  In these projects, technology used in Foxit Reader/PhantomPDF have been rigorously inspected by customers and 3rd party security inspectors. Foxit has an excellent track record patching all found vulnerabilities within the time window security researchers recommended.  Average time to patch (~90days) is better than industry average (100~120days).  Foxit has a dedicated security response team on duty 24x7 to monitor and respond to critical security issues. Foxit also has a “green path” procedure for critical security patches.

Cloud Security

Cloud services provided by Foxit enhance the capabilities and user experience of the Foxit End User Productivity solution. These services are constantly monitored for availability, performance, as well as security.

Data Center Security

All Foxit cloud services are managed by our trusted cloud service provider, Amazon Web Services (AWS), which is an ANSI tier-4 data center, and maintains verify strict controls around data center access, fault tolerance, environmental controls, and security. Only approved, authorized Foxit employees, cloud service provider employees, and contractors with a legitimate, documented business area are allowed access to the secure site in Virginia, USA.

Data Encryption and Privacy

Foxit cloud services are designed with privacy and security as a high priority. All information transmission between the users and the Foxit cloud services are fully secured with 256-bit AES encryption over the HTTPS transport protocol.

Foxit employees and trusted vendors only access customer data to perform certain business and support functions, or as required by law. Foxit does not provide any government with direct or systematic access to customer data that we store.

Off-Grid Operation

Foxit offers users and organizations the option to operate the software in complete “off grid” mode, where no cloud service access will be performed by the software installed by users. This capability offers additional deployment and operational flexibility for organizations with high level of security needs.

Deployment and Administration

Security Hardening

By offering security related capabilities and configuration options, such as disabling JavaScript execution, cross-domain resource access, and enabling “off grid” operation, Foxit has made its software more robust against attacks, and can reduce or eliminate the need for out-of-band security updates, as well as lowering the urgency for regularly scheduled updates. This leads to operational flexibility, as well as lowered Total Cost of Ownership (TCO), especially in large organizations with high level of requirements for security.

Support for Citrix and Application Virtualization

PhantomPDF supports Citrix XenApp, Citrix XenDesktop, Microsoft App-V, and other virtualization environment. This allows organizations to effectively deliver secure remote access to users.

Support for Windows Server Group Policy Objects

Windows Server Group Objects (GPO) enable IT administrators to automate 1-to-many management of computer systems. PhantomPDF supports certified Microsoft Active Directory Administrative (ADM) templates for Group Policy, allowing the administrator to provide on-demand software installation and automatic repair of applications.

Support for Microsoft SCCM and SCUP

PhantomPDF and Foxit Reader also supports Microsoft System Center Configuration Manager (SCCM) to ensure Windows desktops are always up to date with security patches.

In addition, the support for Microsoft System Center Updates Publisher (SCUP) catalogs enables IT administrators to automate updates to PhantomPDF and Foxit Reader software installations across the entire organization.

Conclusion

Foxit provides industry-leading level of security protection for users with different needs for PDF functions, as well as organizations in different sizes and industries. We recognize that your information and workflow are sensitive and needs the utmost protection. With Foxit, you have a trusted vendor who not only builds the no-compromise PDF software, but also secures it in all the areas as dictated in the industry’s best practices.