Cisco Talos discloses serious vulnerabilities in Foxit PDF Reader

Cisco Talos researcher Aleksandar Nikolic has unearthed one of the critical vulnerabilities fixed in the latest Adobe Acrobat and Reader security updates. He is also the one that recently discovered 23 vulnerabilities in another popular PDF reader: Foxit.

Foxit PDF Reader is a free program for viewing, creating and editing PDF documents. It has a large user base and is commonly used as an alternative to Adobe Reader.

Foxit PDF Reader vulnerabilities

Foxit PDF Reader vulnerabilities

“As a complete and feature-rich PDF reader, [Foxit] supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface,” Nikolic explained.

“When executing embedded JavaScript code, a document can be closed, which essentially frees a lot of used objects, but the JavaScript can continue to execute. Invoking a method which keeps a stale reference to a now-freed object can lead to a use-after-free condition, which can be abused to execute arbitrary code.”

All of the 23 flaws he has found are use-after-free vulnerabilities in the JavaScript engine of Foxit PDF Reader, either version 9.1.0.5096 or 9.2.0.9297.

All of them can be exploited to achieve arbitrary code execution via a document specially crafted to trigger a previously freed object in memory to be reused.

The attacker would need to convince the user to open the malicious file to trigger any of these vulnerabilities. Also, if the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

For more specific details about each of the flaws as well as PoCs, go here.

The good news is the vulnerabilities have been patched. Users are advised to update to the latest version of the software (if they haven’t already).

Cisco Talos has also released a number of Snort rules that should detect attempts to exploit these flaws.