PDF software developer Foxit has released patches to address several high-risk vulnerabilities affecting both Windows and macOS applications.
The Chinese software company’s tools allow users to create and edit PDF files, as well as secure them when necessary. Foxit also offers products under a freemium licensing model.
Last week, the company released security updates for both Foxit PhantomPDF Mac and Foxit Reader Mac, to address a vulnerability that could result in code injection or information disclosure. The issue, the company revealed, exists because hardened runtime was not enabled during code signing.
Foxit PhantomPDF Mac version 4.0.0.0430 and earlier and Foxit Reader Mac version 4.0.0.0430 and earlier are vulnerable. Foxit PhantomPDF Mac and Foxit Reader Mac 4.1 address the flaws.
Prior to updating the macOS applications, the company released patches for Foxit Reader and Foxit PhantomPDF for Windows, to address multiple vulnerabilities, including use-after-free, out-of-bounds write, and access violation issues that could lead to remote code execution or privilege escalation.
Many of the vulnerabilities patched in recent months were reported to Foxit through Trend Micro’s Zero Day Initiative (ZDI), which has also published advisories.
Several vulnerabilities affecting Foxit products were also mentioned this week in a vulnerability summary bulletin published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The agency warned that four of the vulnerabilities in Foxit Reader and PhantomPDF for Windows feature a high severity rating. The bugs are tracked as CVE-2020-26534, CVE-2020-26539, CVE-2020-26537, and CVE-2020-26535, and have a CVSS score of 7.5.
Two other security flaws, CISA revealed, are considered medium risk: CVE-2020-26540, with a CVSS score of 5, and CVE-2020-26538, with a CVSS score of 4.4.
The bugs were identified in Foxit Reader and Foxit PhantomPDF 10.0.1.35811 and earlier, and were addressed with the release of version 10.1.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944