Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Foxit Patches Several Code Execution Vulnerabilities in PDF Reader

Popular PDF document reader Foxit Reader has been updated to address multiple use-after-free security bugs that could be exploited for arbitrary code execution.

Popular PDF document reader Foxit Reader has been updated to address multiple use-after-free security bugs that could be exploited for arbitrary code execution.

The feature-rich PDF reader provides broad functionality to users, including support for multimedia documents and dynamic forms via JavaScript support, which also expands the application’s attack surface.

This week, Cisco’s Talos security researchers have published information on four vulnerabilities in Foxit Reader’s JavaScript engine that could be exploited to achieve arbitrary code execution.

The issues, tracked as CVE-2022-32774, CVE-2022-38097, CVE-2022-37332 and CVE-2022-40129, have a CVSS score of 8.8 and are described as use-after-free vulnerabilities.

“A specially crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution,” Cisco explains.

An attacker looking to exploit these vulnerabilities would need to trick a user into opening a malicious file. According to Cisco, if the Foxit browser plugin extension is enabled, the bugs can be triggered when the user navigates to a malicious website.

Cisco reported the security defects to Foxit in September. This week, Foxit released version 12.0.1.12430 of its PDF reader to address all issues. Users are advised to update to the latest software iteration as soon as possible.

Related: Apple Patches Remote Code Execution Flaws in iOS, macOS

Related: Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products

Related: Citrix Patches Critical Vulnerability in Gateway, ADC

Related: SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.