A team of web application security experts has discovered multiple security vulnerabilities in Foxit PDF Reader, one of the most popular PDF reader tools and the main competitor of Adobe Reader. The flaws found include remote code execution errors considered highly serious.
The researchers, led by Aleksandar Nikolic of Cisco Talos, discovered this set of flaws, including the vulnerability tracked as CVE-2019-5031, which resides in Foxit JavaScript engine. If exploited, this flaw would allow memory corruption condition and remote code execution.
In their report, web application security specialists mention: “A specially crafted PDF document could trigger an incorrectly managed memory-lack condition, which can result in arbitrary remote code execution “. It should be noted that in order to complete the attack the threat actors must trick the victim to open the malicious PDF; exploiting the flaw is also possible via a malicious website, but this requires a browser extension enabled.
This vulnerability received an 8.8/10 score on the Common Vulnerability Scoring System (CVSS) scale, making it a critical security flaw. Version 9.4.1.16828 is the most affected by the flaw.
Other vulnerabilities fixed by Foxit’s creators include:
- Three remote code execution flaws affecting Acroform objects (CVE-2019-13326, CVE-2019-13327, CVE-2019-13328)
- A remote code execution flaw in XFA Form Template (CVE-2019-13332)
- Three “type-confusion” remote code execution vulnerabilities (CVE-2019-13329, CVE-2019-13330, CVE-2019-13331)
These vulnerabilities have CVSS scores of 7.8 and lower, so they are considered potentially dangerous. The vulnerabilities were fixed in the latest version of Foxit PDF Reader (v9.7). Users of this tool are advised to update as soon as possible to mitigate any exploitation risk.
The problems for this tool have not stopped presenting recently. A few days ago, web application security specialists from the International Institute of Cyber Security (IICS) reported the discovery of an attack variant that allowed hackers to extract information from a password-protected PDF. In addition, in late August the company was the victim of a data breach that compromised the information of thousands of users of the tool.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.