Foxit Reader Update Patches Over 100 Vulnerabilities
4.10.2018 securityweek Vulnerebility
The newly released Foxit Reader 9.3 brings along patches for over 100 security flaws, including some that could result in remote code execution.
Developed by California-based Foxit Software, the Foxit Reader is a multilingual freemium tool that allows users to create, view, edit, digitally sign, and print Portable Document Format (PDF) files. According to the company, the reader has hundreds of millions of users.
The latest version of the reader, Foxit reveals in an advisory, brings patches for a broad range of vulnerabilities, including out-of-bounds, use-after-free, information disclosure, type confusion, and memory corruption bugs, the most severe of which could result in remote code execution.
The vulnerabilities, Foxit says, could be exploited when parsing strings, when executing certain JavaScript, due to the use of objects which have been deleted or closed, when handling certain properties of annotation objects, or when opening or processing malicious PDF documents.
18 of the vulnerabilities were disclosed by security researchers with Cisco Talos, all of which could be exploited for either remote or arbitrary code execution. The bugs impact the JavaScript engine of the Reader and can be exploited with the help of a specially crafted, malicious PDF either open in the application itself or in a browser, if the browser plugin is enabled.
Most of the remaining security vulnerabilities addressed with this update were discovered by security researchers working with Trend Micro's Zero Day Initiative.
The bugs are said to impact version 9.2.0.9297 and earlier of Foxit Reader and Foxit PhantomPDF and have been addressed with the release of Foxit Reader 9.3 and Foxit PhantomPDF 9.3.
The security updates arrived only days before Adobe released tens of patches for its own PDF tools. On Monday, the company announced the availability of Acrobat DC and Acrobat Reader DC (Continuous) 2019.008.20071, Acrobat 2017 and Reader DC 2017 (Classic 2017) 2017.011.30105, and Acrobat DC and Reader DC (Classic 2015) 2015.006.30456, which address a total of 86 vulnerabilities