Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Foxit Patches Code Execution Vulnerabilities in PDF Software

PDF software developer Foxit has released patches to address several high-risk vulnerabilities affecting both Windows and macOS applications.

The Chinese software company’s tools allow users to create and edit PDF files, as well as secure them when necessary. Foxit also offers products under a freemium licensing model.

PDF software developer Foxit has released patches to address several high-risk vulnerabilities affecting both Windows and macOS applications.

The Chinese software company’s tools allow users to create and edit PDF files, as well as secure them when necessary. Foxit also offers products under a freemium licensing model.

Last week, the company released security updates for both Foxit PhantomPDF Mac and Foxit Reader Mac, to address a vulnerability that could result in code injection or information disclosure. The issue, the company revealed, exists because hardened runtime was not enabled during code signing.

Foxit PhantomPDF Mac version 4.0.0.0430 and earlier and Foxit Reader Mac version 4.0.0.0430 and earlier are vulnerable. Foxit PhantomPDF Mac and Foxit Reader Mac 4.1 address the flaws.

Prior to updating the macOS applications, the company released patches for Foxit Reader and Foxit PhantomPDF for Windows, to address multiple vulnerabilities, including use-after-free, out-of-bounds write, and access violation issues that could lead to remote code execution or privilege escalation.

Some of these flaws could be triggered through the execution of JavaScript in certain AcroForm, opening of specially crafted PDF files, or the parsing of certain JPEG2000 images. Others occur during installation or are the result of improper validations or improper handling of certain resources.

Many of the vulnerabilities patched in recent months were reported to Foxit through Trend Micro’s Zero Day Initiative (ZDI), which has also published advisories.

Several vulnerabilities affecting Foxit products were also mentioned this week in a vulnerability summary bulletin published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The agency warned that four of the vulnerabilities in Foxit Reader and PhantomPDF for Windows feature a high severity rating. The bugs are tracked as CVE-2020-26534, CVE-2020-26539, CVE-2020-26537, and CVE-2020-26535, and have a CVSS score of 7.5.

Advertisement. Scroll to continue reading.

Two other security flaws, CISA revealed, are considered medium risk: CVE-2020-26540, with a CVSS score of 5, and CVE-2020-26538, with a CVSS score of 4.4.

The bugs were identified in Foxit Reader and Foxit PhantomPDF 10.0.1.35811 and earlier, and were addressed with the release of version 10.1.

Related: Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions

Related: Over 328,000 Users Hit by Foxit Data Breach

Related: Researchers Disclose New Methods for Replacing Content in Signed PDF Files

Related: Code Execution Vulnerabilities Found in Aspose PDF Processing Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.