Secunia finds 'highly critical' Foxit Reader Flaw

Summary:Add the popular Foxit Reader to the list of desktop software applications to be patched as a matter of priority.According to vulnerability research outfit Secunia, there's a "highly critical" vulnerability in the alternative PDF reader software that can be exploited by malicious hackers to take complete control of a target system.

Secunia finds ‘highly critical’ Foxit Reader Flaw
Add the popular Foxit Reader to the list of desktop software applications to be patched as a matter of priority.

According to vulnerability research outfit Secunia, there's a "highly critical" vulnerability in the alternative PDF reader software that can be exploited by malicious hackers to take complete control of a target system.

The skinny:

The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the "util.printf()" JavaScript function. This can be exploited to cause a stack-based buffer overflow via a specially crafted PDF file.   Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 2.3 build 2825. Other versions may also be affected.

Secunia says vulnerability is fixed in an upcoming version 2.3 build 2912 but, inexplicably, the vulnerable build 2828 is currently being delivered from Foxit's download page (see image above).

For the average computer user, it's near impossible to keep up with patches for all the installed desktop applications.  Some software vendors are using automatic updates to ensure patches are deployed in a timely manner but, unless you are savvy enough to keep an eye out for vulnerability warnings, chances are there's a vulnerable software on your machine, leaving you exposed to malicious hacker attacks.

[ SEE: Ten free security utilities you should already be using ]

There's no clear cut solution to handle client-side patch management but, for starters, I like to recommend Secunia's PSI (personal software inspector), a free utility that scans Windows machines in search unpatched software products.  The tool  works by by examining files on your computer (primarily .exe, .dll, and .ocx files) for meta information on specific software builds installed. After examining all the files on the machine, the collected data is sent to Secunia’s servers and matched against the Secunia File Signatures engine to determine the exact applications installed on your system.

The Secunia PSI can be used to flag insecure/end-of-life software and find direct download links to missing security updates. It monitors more than 4,200 desktop applications.

Topics: CXO, Hardware, IT Employment, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.