Multiple Security Vulnerabilities Discovered In Foxit PDF Reader

The popular rival tool of Adobe Reader, Foxit, once again makes it to the news due to security issues. This time, it turns out that Foxit PDF Reader has some serious security vulnerabilities. Discovered by multiple researchers, these even include some high-severity remote code execution bugs.

JavaScript Remote Code Execution Vulnerability

A researcher from Cisco Talos, Aleksandar Nikolic, discovered a high-severity flaw in Foxit PDF Reader. The vulnerability CVE-2019-5031 existed in the JavaScript engine of the software. Exploiting this memory corruption vulnerability could allow remote code execution.

As described in the vulnerability report by Talos,

A specially crafted PDF document can trigger an out-of-memory condition which isn’t handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

The bug primarily affected the software version 9.4.1.16828. It was the most serious of all vulnerabilities with a high-severity rating and a CVSSv3 Score of 8.8.

Other Vulnerabilities In Foxit PDF Reader

In addition to the above, Foxit also patched numerous other security flaws affecting the PDF Reader. As reported by Trend Micro’s ZDI, these include 3 use-after-free remote code execution flaws (CVE-2019-13326, CVE-2019-13327, CVE-2019-13328) affecting the Acroform objects, 1 use-after-free RCE flaw affecting the XFA Form Template (CVE-2019-13332), and 3 type-confusion RCE flaws (CVE-2019-13329, CVE-2019-13330, and CVE-2019-13331). All these flaws were of high-severity with a CVSS score of 7.8.

Foxit has patched all the 8 vulnerabilities with the latest Foxit PDF Reader 9.7. Hence, users must ensure updating their devices to the latest patched version.

In August, Foxit disclosed a data breach that exposed the personal information of some of the customers. Whereas, in 2017, Foxit made it to the news for some critical security vulnerabilities.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients