Foxit Software has released patches for dozens of high-severity flaws impacting its PDF reader and editor platforms. The most severe of the bugs, which exist on Windows versions of the software, enable a remote attacker to execute arbitrary code on vulnerable systems.
Overall, Foxit Software patched flaws tied to 20 CVEs in Foxit Reader and Foxit PhantomPDF (versions 9.7.1.29511 and earlier) for Windows. Foxit Reader is popular PDF software – with a user base of over 500 million for its free version – that provides tools for creating, signing and securing PDF files. PhantomPDF, meanwhile, enables users to convert different file formats to PDF. In addition to millions users for its branded software, major corporations as Amazon, Google,and Microsoft license Foxit Software technology, opening up its threat landscape even more.
“There are several bugs that could result in remote code execution [RCE],” Dustin Childs, manager at Trend Micro’s Zero Day Initiative (ZDI), told Threatpost. “All of these should be considered critical.”
The high-severity flaws in Foxit Reader enable RCE; they are fixed in Foxit Reader version 9.7.2. In an attack scenario for these flaws, “user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” according to a Trend Micro ZDI
vulnerability analysis.