Foxit Patches Vulnerability Allowing Attackers to Execute Malware Via PDF Files
This High-Severity Flaw Was Addressed with the Release of Foxit Reader 10.1.4.37651, and Impacts Foxit Reader 10.1.3.37598 and Earlier Versions.
Foxit Software, the US and China-based PDF software developer, has recently released security updates to fix a high severity Remote Code Execution (RCE) vulnerability affecting the PDF reader.
Foxit, who claims to have more than 560 million users located in more than 200 countries, announced that this security flaw could let threat actors execute malicious code on users’ Windows computers and potentially take control over them.
Cisco Talos researcher Aleksandar Nikolic has unearthed the flaw in the V8 JavaScript engine used by Foxit Reader to display dynamic forms and interactive document elements.
As reported by BleepingComputer, the vulnerability, dubbed CVE-2021-21822, originates from a Use After Free bug. Successful exploitation of such bugs can lead from program crashes and data corruption to the execution of arbitrary code on computers running the vulnerable software.
How the Foxit Reader app and browser extensions handle certain annotation types determines the flaw, allowing attackers to abuse to craft malicious PDFs. This will permit them to execute arbitrary code via precise memory control.
According to Nikolic,
A specially crafted PDF document can trigger the reuse of previously free memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening a malicious file or site to trigger this vulnerability if the browser plugin extension is enabled.
This high-severity vulnerability was addressed with the release of Foxit Reader 10.1.4.37651, and impacts Foxit Reader 10.1.3.37598 and earlier versions.
The good news is the vulnerability has been patched. To protect yourself against CVE-2021-21822 attacks, Foxit recommends you to download the latest Foxit Reader version and then click on “Check for Updates” in the app’s “Help” dialog.
Besides CVE-2021-21822, Foxit fixed several other security bugs that impacted previous versions of Foxit Reader in the latest version, exposing user devices to denial of service, remote code execution, information disclosure, SQL injection, DLL hijacking, and more.
You can find below a complete list of security fixes in the Foxit Reader 10.1.4 version:
- Issues where the application could be exposed to a memory corruption vulnerability and fail to export certain PDF files to other formats.
- Issues where the application could be exposed to the denial of service vulnerability and crash when handling certain XFA forms or binding objects.
- Issues where the application could be exposed to denial of service, null pointer reference, reading out of bounds, context level bypass, type confusion or buffer overflow, and crashes, which attackers could exploit to execute remote code.
- An issue where the application could be exposed to the arbitrary file deletion vulnerability due to improper access control.
- An issue where the application could deliver incorrect signature information for certain PDF files that contained invisible digital signatures.
- Issues where the application could be exposed to the DLL hijacking vulnerability when launched, which attackers could exploit to execute remote code by placing a malicious DLL in the specified path directory.
- Issues where the application could be exposed to out-of-bounds read/write remote execution or information disclosure vulnerability and fail to manipulate certain JavaScripts or XFA forms.
- An issue where the application could be exposed to an out-of-bounds write vulnerability when scanning certain PDF files that contain non-standard files / Size key value in Trailer dictionary.
- An issue where the application could be exposed to write vulnerabilities, out of bounds, and crash when converting certain PDF files to Microsoft Office files.
- Issues where the application could be exposed to the arbitrary file write remote code execution vulnerability when executing certain JavaScripts.
- Issues where the application could be exposed to the SQL injection remote code execution vulnerability.
- An issue where the application could be exposed to the Uninitialized Variable Information Disclosure vulnerability and crash.
- Issues where the application could be exposed to an out-of-bounds read buffer overflow or heap-based buffer overflow vulnerability, which attackers could exploit to execute remote code or reveal sensitive information.