14 DAY TRIAL // Foxit Software has released version 5.0.2 of its PDF reader program in order to address two vulnerabilities that can result in remote code execution of arbitrary code.
One of the vulnerabilities was discovered by Dmitriy Pletnev of Secunia and can be exploited by tricking the victim into opening a maliciously-crafted PDF file.
"The vulnerability is caused due to a boundary error in the FoxitReaderOCX ActiveX control when processing the 'OpenFile()' method.
"This can be exploited to cause a heap-based buffer overflow via an overly long string passed in the 'strFilePath' parameter," explains the Danish vulnerability research vendor which rates the vulnerability as highly critical.
The second flaw is an insecure library loading vulnerability which allows an attacker to execute malicious code by placing a rogue file into the program's directory.
Also known as DLL hijacking, this type of vulnerability stems from the way programs are looking for a library file when an absolute path is not specified. When this happens, programs begin searching for it in a list of predefined directories, including their main folders and the working directories.
If the file does not exist because it is specific to another version of the operating system, an attacker can supply one with the same name into one of the search path directories which will lead to its execution.
This Foxit Reader vulnerability was identified by Rob Kraus of Security Consulting Services (SCS) and confirmed by Core Security Technologies.
Foxit Reader is the most popular PDF client after Adobe Reader and is usually used as a replacement because it is viewed as more secure. However, Adobe Reader X, which features sandboxing technology has shifted the security balance back to itself.
Foxit Reader is bundled in Google Chrome where it's used for the browser's native PDF reading fuction. However, the plugin runs completely under Chrome's sandbox, so the risk of successful attacks is very low.
The latest version of Foxit Reader for Windows can be downloaded from here.