Foxit PDF Reader fixes serious remote code execution vulnerability

Share this…

Users of the PDF reader Foxit must upgrade their software to Reader 9.3 and Foxit PhantomPDF 9.3 to correct over 100 flaws

Foxit Software has released update patches to correct more than 100 vulnerabilities in its popular PDF reader Foxit PDF. Many of the errors that the company addresses include a wide range of remote code execution vulnerabilities considered high-severity, as reported by experts in digital forensics.

Last Friday Foxit released fixes for the Foxit Reader 9.3 and Foxit PhantomPDF 9.3 software, which have patched 124 vulnerabilities. It is important to highlight that some of the addressed flaws overlap, so the number of exploitable vulnerabilities is actually lower. The and previous versions of Foxit Reader and Foxit PhantomPDF for Windows are affected.

Eighteen of these vulnerabilities were discovered by a cybersecurity and digital forensics firm, which later published an analysis of the encountered flaws. These 18 flaws have a score of 8/10 according to the Common Vulnerability Socring System, which make them considered as severe. All vulnerabilities were found in the Foxit PDF Reader JavaScript engine, a component or interpreter running the JavaScript code.

Out of the recently revealed flaws, seven are vulnerabilities that allow remote code execution.

This group of experts also discovered four flaws that can be leveraged to execute arbitrary code in the Foxit PDF Reader JavaScript engine, including a vulnerability (CVE-2018-3964) that leverages the invocation of the ‘GetPageNumWords’ method on the active file. Another of the described attacks refers to six separate exploitable vulnerabilities after free use in the Foxit PDF Reader JavaScript engine, which can be exploited to execute arbitrary code.

“A specially designed PDF document is sent to the victim to activate a previously released object in memory that will be reused, which activates arbitrary code execution”, the specialists mentioned. It should be noted that although all previous flaws occur at the same location, the execution methods are different, so separate codenames have been assigned for each vulnerability”, mentioned in the analysis.

These have been difficult days for PDF readers. Digital forensics specialists from the International Institute of Cyber Security report that Adobe has also launched patches for its services for reading, creating and managing PDF files. The company launched on Monday up to 47 patches targeting critical vulnerabilities that allow arbitrary code execution, including 22 off-limits writing flaws, seven critical overflow vulnerabilities, seven “after-free use” errors, three type confusion errors, three buffer flaws, three untrusted pointer unreferenced flaws, and a dual free vulnerability.