Patches are available for eight high-severity flaws impacting the popular PDF software Foxit Reader. The bugs, which exist on Windows versions of the software, enable a remote attacker to execute arbitrary code on vulnerable systems.
This week, Foxit Software, the company behind Foxit Reader, released the patches. While the number of Foxit Reader users is unclear, the company claimed last year it has over 475 million users of its products.
Foxit Software is urging customers to update to the latest version of its tool. “Foxit has released Foxit Reader 9.7, which addresses potential security and stability issues,” said the company in a security advisory.
JavaScript Error
The most severe of these flaws (CVE-2019-5031), which has a CVSS score of 8.8 out of 10.0, exists in how Foxit Reader interacts with JavaScript engine (the program that executes JavaScript code). JavaScript can be supported by Foxit Reader for interactive documents and dynamic forms. For instance, when a user opens a PDF document, it can execute JavaScript.
However, when certain versions for the JavaScript engine (version 7.5.45 and previous versions in the V8 JavaScript engine) are used in version 9.4.1.16828 of Foxit Reader, it can result in arbitrary code execution and denial of service. That’s because in the impacted Foxit Reader version, opening the JavaScript engine results in a large amount of memory being allocated, which quickly uses up all available memory. This would usually result in an out-of-memory state being detected and the process would be terminated. However, that process does not exist in the impacted Foxit Reader.
In an attack scenario, “a specially crafted PDF document can trigger an out-of-memory condition which isn’t handled properly, resulting in arbitrary code execution,” according to Cisco Talos, which discovered the flaw. “An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.”
Other Flaws
The remaining high-severity vulnerabilities in Foxit Reader were reported by Zero Day Initiative, and all have a CVSS score of 7.8 out of 10.0 on the CVSS scale, making them “high-severity.”
In all cases, the vulnerabilities could allow a remote attacker to gain access to the victims’ systems. Foxit recommends Windows users with versions 9.6.0.25114 and earlier “upgrade to the latest version of Foxit Reader (9.7 or later), available from the Foxit Web site.”
Three of the flaws (CVE-2019-13326,CVE-2019-13327,CVE-2019-13328) stem from issues tied to how Foxit Reader handles AcroForm Fields, which are PDF files that contain form fields, which data can be entered into.
“The specific flaw exists within the processing of fields within Acroform objects,” said ZDI in regards to all three flaws. “The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.”
The remaining high-severity flaws exist in Foxit Reader’s handling of TIF files (CVE-2019-13329), JPG files (CVE-2019-13330,CVE-2019-13331) and XFA Form Templates (CVE-2019-13332). XFA stands for XML Forms Architecture, a family of proprietary XML specifications that was developed by JetForm to enhance the processing of web forms.
The flaws allow remote attackers to execute arbitrary code on affected installations of Foxit Reader; however, they all come with a caveat: The target must first visit a malicious page or open a malicious file.
It’s only Foxit Software’s latest security issue: In August, the company said that hundreds of thousands of accounts were affected in a data breach that compromised user names, company names and IP addresses.
Last year, Foxit Software patched over 100 vulnerabilities in its Foxit Reader. Many of the bugs tackled by the company include a wide array of high severity remote code execution vulnerabilities.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
