14 DAY TRIAL // Foxit Software has released updates for its Foxit Reader product affecting three vulnerabilities. One of the flaws, discovered and reported by vulnerability intelligence company Secunia, has been located in the same JBIG2 decoding component that is the source for the unpatched bug in Adobe Reader currently being exploited in the wild.
A severe 0-day remote code execution vulnerability affecting Adobe Reader and Acrobat products was reported by volunteers from The Shadowserver Foundation cyber-crime fighting outfit, on February 19. Adobe acknowledged the existence of the flaw, which was already being exploited though maliciously-crafted PDF files, but pointed out that a patch would not be released until March 11.
Meanwhile, people started searching for workarounds. First, it was recommended that users disabled JavaScript in the affected products, which was required for the existent exploits to work. It was later revealed by Secunia that the vulnerability could also be exploited without the use of JavaScript. Furthermore, another security researcher has recently demonstrated how the malicious code embedded in PDF files can be executed without even clicking on them.
One of the alternatives being suggested by some individuals has been using Foxit Reader instead of Adobe's version, until it is patched. However, it seems now that the former was suffering from some serious flaws of its own, one of which originated in the JBIG2 processing procedures, just as it was the case with the bug in Adobe Reader.
"While decoding a JBIG2 symbol dictionary segment, an array of 32-bit elements is allocated having a size equal to the number of exported symbols, but left uninitialised if the number of new symbols is zero. The array is later accessed and values from uninitialised memory are used as pointers when reading memory and performing calls," is explained in a recently-published Foxit advisory.
In addition to this vulnerability, two other severe ones have been discovered and reported by researchers from Core Security Technologies. These have been categorized as a stack-based buffer overflow and a security authorization bypass, and allow executing arbitrary instructions from a malformed PDF file without asking for the user's consent.
Even though these bugs were reported to Foxit at almost the same time that the Adobe Reader flaw was announced, the company has already released security updates for both versions 3 and 2.3 of its affected product, and users are advised to upgrade. Adobe is expected to release its patch tomorrow.