Foxit Software has patched over 100 vulnerabilities in its popular Foxit PDF Reader. Many of the bugs tackled by the company include a wide array of high severity remote code execution vulnerabilities.
Foxit on Friday released fixes for Foxit Reader 9.3 and Foxit PhantomPDF 9.3, which addressed a whopping 124 vulnerabilities. It’s important to note that some bugs addressed overlap, so the actual number of real-world bugs is lower. Impacted are Foxit Reader and Foxit PhantomPDF versions 18.104.22.16897 and earlier for Windows.
“A specially crafted PDF document sent to a victim can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. “It should be pointed out that even though all of the above crashes happen at the same place, the execution paths are different, as evidenced by the call stack, thus separate CVEs have been allocated for each,” according to Cisco’s analysis.
It’s been a bad week for PDF readers – Foxit’s release comes out as Adobe also issued patches for its own set of services to view, create, and manage PDF files- Adobe Acrobat and Reader. Adobe on Monday released up to 47 of the patches addressed critical vulnerabilities allowing arbitrary code execution – including 22 out-of-bounds write flaws, seven critical heap overflow glitches, seven use-after-free bugs, three type confusion bugs, three buffer error bugs, three untrusted pointer dereference flaws and a double free vulnerability.