Foxit PDF Reader, PhantomPDF Open to Remote Code Execution

silversurfer

Level 68
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,712
Foxit Software has released patches for dozens of high-severity flaws impacting its PDF reader and editor platforms. The most severe of the bugs, which exist on Windows versions of the software, enable a remote attacker to execute arbitrary code on vulnerable systems.

Overall, Foxit Software patched flaws tied to 20 CVEs in Foxit Reader and Foxit PhantomPDF (versions 9.7.1.29511 and earlier) for Windows. Foxit Reader is popular PDF software – with a user base of over 500 million for its free version – that provides tools for creating, signing and securing PDF files. PhantomPDF, meanwhile, enables users to convert different file formats to PDF. In addition to millions users for its branded software, major corporations as Amazon, Google,and Microsoft license Foxit Software technology, opening up its threat landscape even more.

“There are several bugs that could result in remote code execution [RCE],” Dustin Childs, manager at Trend Micro’s Zero Day Initiative (ZDI), told Threatpost. “All of these should be considered critical.”

The high-severity flaws in Foxit Reader enable RCE; they are fixed in Foxit Reader version 9.7.2. In an attack scenario for these flaws, “user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” according to a Trend Micro ZDI vulnerability analysis.
 

DDE_Server

Level 21
Verified
Sep 5, 2017
1,085
is this update distributed/ released via Foxit updater as i the latest version i have is still V 9.7.1.29511
1587413356136.png

and there is no newer version when i check for updates:
1587413449544.png


The newer version is available only during manual download from official site:
for reader version: https://cdn09.foxitsoftware.com/pro...C4FBBE3B3C1/FoxitReader972_enu_Setup_Prom.exe
 

ab14

Level 6
Oct 1, 2019
269
is this update distributed/ released via Foxit updater as i the latest version i have is still V 9.7.1.29511
View attachment 237816
and there is no newer version when i check for updates:
View attachment 237817

The newer version is available only during manual download from official site:
for reader version: https://cdn09.foxitsoftware.com/pro...C4FBBE3B3C1/FoxitReader972_enu_Setup_Prom.exe

Kindly note that I am using Foxit Phantom and the software version I have is different.

Annotation 2020-04-20 233616.png
 

Tiamati

Level 10
Verified
Nov 8, 2016
458
BTW, i'm using PDF X-change editor because it's the only one i know with free OCR. Do you know any other?
 
Top