Security Experts:

Connect with us

Hi, what are you looking for?



Foxit Reader Update Patches Over 100 Vulnerabilities

The newly released Foxit Reader 9.3 brings along patches for over 100 security flaws, including some that could result in remote code execution.

The newly released Foxit Reader 9.3 brings along patches for over 100 security flaws, including some that could result in remote code execution.

Developed by California-based Foxit Software, the Foxit Reader is a multilingual freemium tool that allows users to create, view, edit, digitally sign, and print Portable Document Format (PDF) files. According to the company, the reader has hundreds of millions of users.

The latest version of the reader, Foxit reveals in an advisory, brings patches for a broad range of vulnerabilities, including out-of-bounds, use-after-free, information disclosure, type confusion, and memory corruption bugs, the most severe of which could result in remote code execution.

The vulnerabilities, Foxit says, could be exploited when parsing strings, when executing certain JavaScript, due to the use of objects which have been deleted or closed, when handling certain properties of annotation objects, or when opening or processing malicious PDF documents.

18 of the vulnerabilities were disclosed by security researchers with Cisco Talos, all of which could be exploited for either remote or arbitrary code execution. The bugs impact the JavaScript engine of the Reader and can be exploited with the help of a specially crafted, malicious PDF either open in the application itself or in a browser, if the browser plugin is enabled.

Most of the remaining security vulnerabilities addressed with this update were discovered by security researchers working with Trend Micro’s Zero Day Initiative.

The bugs are said to impact version and earlier of Foxit Reader and Foxit PhantomPDF and have been addressed with the release of Foxit Reader 9.3 and Foxit PhantomPDF 9.3.

The security updates arrived only days before Adobe released tens of patches for its own PDF tools. On Monday, the company announced the availability of Acrobat DC and Acrobat Reader DC (Continuous) 2019.008.20071, Acrobat 2017 and Reader DC 2017 (Classic 2017) 2017.011.30105, and Acrobat DC and Reader DC (Classic 2015) 2015.006.30456, which address a total of 86 vulnerabilities

Related: Code Execution Flaws Patched in Foxit PDF Reader

Related: Adobe Patches 86 Vulnerabilities in Acrobat Products


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet