Critical Foxit PDF Reader Vulnerabilities: Update as soon as possible

A team of web application security experts has discovered multiple security vulnerabilities in Foxit PDF Reader, one of the most popular PDF reader tools and the main competitor of Adobe Reader. The flaws found include remote code execution errors considered highly serious.

The researchers, led by Aleksandar Nikolic of Cisco Talos, discovered this set of flaws, including the vulnerability tracked as CVE-2019-5031, which resides in Foxit JavaScript engine. If exploited, this flaw would allow memory corruption condition and remote code execution.

In their report, web application security specialists mention: “A specially crafted PDF document could trigger an incorrectly managed memory-lack condition, which can result in arbitrary remote code execution “. It should be noted that in order to complete the attack the threat actors must trick the victim to open the malicious PDF; exploiting the flaw is also possible via a malicious website, but this requires a browser extension enabled.

This vulnerability received an 8.8/10 score on the Common Vulnerability Scoring System (CVSS) scale, making it a critical security flaw. Version 9.4.1.16828 is the most affected by the flaw.

Other vulnerabilities fixed by Foxit’s creators include:

  • Three remote code execution flaws affecting Acroform objects (CVE-2019-13326, CVE-2019-13327, CVE-2019-13328)
  • A remote code execution flaw in XFA Form Template (CVE-2019-13332)
  • Three “type-confusion” remote code execution vulnerabilities  (CVE-2019-13329, CVE-2019-13330, CVE-2019-13331)

These vulnerabilities have CVSS scores of 7.8 and lower, so they are considered potentially dangerous. The vulnerabilities were fixed in the latest version of Foxit PDF Reader (v9.7). Users of this tool are advised to update as soon as possible to mitigate any exploitation risk.

The problems for this tool have not stopped presenting recently. A few days ago, web application security specialists from the International Institute of Cyber Security (IICS) reported the discovery of an attack variant that allowed hackers to extract information from a password-protected PDF. In addition, in late August the company was the victim of a data breach that compromised the information of thousands of users of the tool.