===================================================================== CERT-Renater Note d'Information No. 2009/VULN083 _____________________________________________________________________ DATE : 09/03/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Foxit Reader versions 3.0, 2.3. ====================================================================== http://www.foxitsoftware.com/pdf/reader/security.htm#Stackbased http://www.foxitsoftware.com/pdf/reader/security.htm#bypass http://www.foxitsoftware.com/pdf/reader/security.htm#Processing ______________________________________________________________________ Stack-based Buffer Overflow SUMMARY Foxit PDF files include actions associated with different triggers. If an action (Open/Execute a file, Open a web link, etc.) is defined in the PDF files with an overly long filename argument and the trigger condition is satisfied, it will cause a stack-based buffer overflow. AFFECTED SOFTWARE VERSION Foxit Reader 3.0. SOLUTION Recommend all Foxit Reader users to please update their Foxit Reader 3.0, available here: http://www.foxitsoftware.com/downloads/ SECURITY PROCESS 2009-02-18: Foxit received report from Core Security Technologies; 2009-02-19: Foxit confirmed issue; 2009-02-20: Foxit fixed the issue; 2009-02-28: Fix confirmed by Core Security Technologies; 2009-03-09: Foxit released fixed version 3.0 Build 1506. __________________________________________________________________________ Security Authorization Bypass SUMMARY If an action (Open/Execute a file, Open a web link, etc.) is defined in the PDF files and the trigger condition is satisfied, Foxit Reader will do the action defined by the creator of the PDF file without popping up a dialog box to confirm. AFFECTED SOFTWARE VERSIONS Foxit Reader 3.0 and Foxit Reader 2.3 SOLUTION Recommend Foxit Reader users to update to Foxit Reader 3.0, and for those who keep using Foxit Reader 2.3 you can download the updated version, available here: http://www.foxitsoftware.com/downloads/ SECURITY PROCESS 2009-02-18: Foxit received report from Core Security Technologies; 2009-02-19: Foxit confirmed issue; 2009-02-20: Foxit fixed the issue; 2009-02-28: Fix confirmed by Core Security Technologies; 2009-03-09: Foxit released fixed version 3.0 Build 1506 and version 2.3 Build 3902. _________________________________________________________________________ JBIG2 Symbol Dictionary Processing SUMMARY While decoding a JBIG2 symbol dictionary segment, an array of 32-bit elements is allocated having a size equal to the number of exported symbols, but left uninitialised if the number of new symbols is zero. The array is later accessed and values from uninitialised memory are used as pointers when reading memory and performing calls. AFFECTED SOFTWARE VERSIONS Foxit Reader 3.0 and Foxit Reader 2.3 SOLUTION Recommend Foxit Reader users to update to Foxit Reader 3.0, and for those who keep using Foxit Reader 2.3 you can download the updated version, available here:http://www.foxitsoftware.com/downloads/ SECURITY PROCESS 2009-02-27: Foxit received report from Secunia; 2009-02-28: Foxit confirmed issue; 2009-03-04: Foxit fixed the issue; 2009-03-04: Fix confirmed by Secunia; 2009-03-09: Foxit released fixed version 3.0 Build 1506 and version 2.3 Build 3902. ____________________________________________________________________ Ask Toolbar ToolbarSettings ActiveX Control Buffer Overflow The ask.com toolbar Foxit is bundling, is not the same version as reported on secunia.com, and doesn’t have the reported vulnerability. Click here to check the related report on secunia.com. http://secunia.com/advisories/26960/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================