Foxit PDF Reader Fixes High-Severity Remote Code Execution Flaws

Foxit Software has patched over 100 vulnerabilities in its popular Foxit PDF Reader. Many of the bugs tackled by the company include a wide array of high severity remote code execution vulnerabilities.

Foxit on Friday released fixes for Foxit Reader 9.3 and Foxit PhantomPDF 9.3, which addressed a whopping 124 vulnerabilities. It’s important to note that some bugs addressed overlap, so the actual number of real-world bugs is lower. Impacted are Foxit Reader and Foxit PhantomPDF versions 9.2.0.9297 and earlier for Windows.

Eighteen vulnerabilities were discovered by Cisco, which posted an analyses of the bugs on Monday in a report. All 18 Cisco flaws have a CVSSv3 score of 8.0, or rated high in severity. They were all found in the Foxit PDF Reader’s JavaScript engine, a component or interpreter which executes JavaScript code.

Of the newly-disclosed Cisco flaws, seven are use-after-free vulnerabilities found in the JavaScript engine that can result in remote code execution.

“As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms,” said Cisco in its post. “When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition.”

Cisco also uncovered four use-after-free flaws that can be leveraged to execute arbitrary code in the JavaScript engine of Foxit PDF Reader, including one (CVE-2018-3964) that leverages the invocation of the ‘getPageNumWords’ method of the active document with a crafted object as an argument. Another Cisco-discovered attack references six separate use-after-free CVEs  in the JavaScript engine of Foxit PDF Reader, which can be abused to execute arbitrary code.

“A specially crafted PDF document sent to a victim can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. “It should be pointed out that even though all of the above crashes happen at the same place, the execution paths are different, as evidenced by the call stack, thus separate CVEs have been allocated for each,” according to Cisco’s analysis.

It’s been a bad week for PDF readers – Foxit’s release comes out as Adobe also issued patches for its own set of services to view, create, and manage PDF files- Adobe Acrobat and Reader. Adobe on Monday released up to 47 of the patches addressed critical vulnerabilities allowing arbitrary code execution – including 22 out-of-bounds write flaws, seven critical heap overflow glitches, seven use-after-free bugs, three type confusion bugs, three buffer error bugs,  three untrusted pointer dereference flaws and a double free vulnerability.