=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN253
_____________________________________________________________________

DATE                      : 23/06/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Foxit Reader.

======================================================================
http://www.kb.cert.org/vuls/id/251793
______________________________________________________________________

US-CERT Vulnerability Note VU#251793

Foxit Reader contains multiple vulnerabilities in the processing of JPX data

Overview

   Foxit Reader contains multiple vulnerabilities that may allow an
   attacker to execute arbitrary code.

I. Description

   Foxit Reader is software designed to view Portable Document Format
   (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow
   users to view PDF files inside of a web browser. Foxit Reader contains
   multiple vulnerabilities in the handling of JPX (JPEG2000) streams.
   These vulnerabilities may result in memory corruption.

   Note: Foxit Reader does not contain the ability to decode JPEG2000
   data by default. The JPEG2000 / JBIG Decoder add-on must be
   installed for Foxit Reader to be vulnerable. When Foxit Reader
   encounters a PDF document that has JPEG2000 or JBIG data, the user
   will automatically be prompted to install the add-on, however.

II. Impact

   By convincing a user to open a malicious PDF file, an attacker may be
   able to execute code or cause a vulnerable PDF viewer to crash. The
   PDF could be emailed as an attachment or hosted on a website.

III. Solution

   Apply an update

   This issue is addressed in Foxit Reader 3.0 Build 1817. Updating
   to this version should trigger the process to upgrade the JPEG2000 /
   JBIG Decoder component to be updated to version 2.0.2009.616 if a
   vulnerable version is already installed. Additional details are
   available in the Foxit Reader security advisory.
   Disable JavaScript in Foxit Reader
   Disabling JavaScript may help prevent this and other vulnerabilities
   from being exploited. Foxit Reader JavaScript can be disabled in the
   preferences dialog (Edit -> Preferences -> JavaScript and uncheck
   Enable JavaScript Actions). Note that this will not block the
   vulnerability. Foxit Reader still may crash when parsing specially
   crafted PDF documents.
   Prevent Internet Explorer from automatically opening PDF documents
   The installer for Foxit Reader configures Internet Explorer to
   automatically open PDF files without any user interaction. This
   behavior can be reverted to the safer option of prompting the user by
   importing the following as a .REG file:
   Windows Registry Editor Version 5.00
       [HKEY_CLASSES_ROOT\FoxitReader.Document]
       "EditFlags"=hex:00,00,00,00

   Disable the displaying of PDF documents in the web browser
   Preventing PDF documents from opening inside a web browser may help
   mitigate this vulnerability. If this workaround is applied to updated
   versions of the Foxit reader, it may help mitigate future
   vulnerabilities.
   To prevent PDF documents from automatically being opened in a web
   browser:
    1. Open Foxit Reader.
    2. Open the Edit menu.
    3. Choose the Preferences option.
    4. Choose the Internet section.
    5. Uncheck the "Display PDF in browser" check box.

   Do not access PDF documents from untrusted sources
   Do not open unfamiliar or unexpected PDF documents, particularly those
   hosted on web sites or delivered as email attachments. Please see
   Cyber Security Tip ST04-010.

Systems Affected

   Vendor                     Status     Date Notified Date Updated
   Foxit Software Company     Vulnerable 2009-06-02    2009-06-19

References

   http://www.foxitsoftware.com/pdf/reader/
   http://www.foxitsoftware.com/pdf/reader/security.htm#0602
   http://www.foxitsoftware.com/downloads/addons/jpg_decoder2.0.20096.html

Credit

   This vulnerability was reported by Will Dormann of the CERT/CC.

   This document was written by Will Dormann.

Other Information

   Date Public:              2009-06-19
   Date First Published:     2009-06-19
   Date Last Updated:        2009-06-19
   CERT Advisory:
   CVE-ID(s):                CVE-2009-0690; CVE-2009-0691
   NVD-ID(s):                CVE-2009-0690 CVE-2009-0691
   US-CERT Technical Alerts:
   Metric:                   1.02
   Document Revision:        10

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================