==================================================================== CERT-Renater Note d'Information No. 2017/VULN007 _____________________________________________________________________ DATE : 13/01/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows, Linux running Foxit Reader, Foxit PhantomPDF versions prior to 8.2, Foxit Reader for Linux versions prior to 2.3, Foxit PDF Toolkit versions prior to 2.0. ===================================================================== https://www.foxitsoftware.com/support/security-bulletins.php ____________________________________________________________________ Security updates available in Foxit Reader 8.2 and Foxit PhantomPDF 8.2 Release date: January 10, 2017 Platform: Windows Summary Foxit has released Foxit Reader 8.2 and Foxit PhantomPDF 8.2, which address potential security and stability issues. Affected versions Product Affected versions Platform Foxit Reader 8.1.4.1208 and earlier Windows Foxit PhantomPDF 8.1.1.1115 and earlier Windows Solution Update your applications to the latest versions by following one of the instructions below. From the “Help” tab of Foxit Reader or Foxit PhantomPDF, click on “Check for Updates” and update to the latest version. Click here to download the updated version of Foxit Reader from our website. Click here to download the updated version of Foxit PhantomPDF from our website. Note that purchasing a license may be necessary to use PhantomPDF beyond the trial period. If you already have a PhantomPDF 8 license, you can update to PhantomPDF 8.2 for free. Vulnerability details Brief Acknowledgement Addressed potential issues where the application could be exposed to a JPEG2000 Parsing Out-of-Bounds Write/Read vulnerability, which could be exploited by attackers to execute remote code or leak information. kdot working with Trend Micro's Zero Day Initiative Gogil of STEALIEN working with Trend Micro's Zero Day Initiative Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability, which could be exploited by attackers to execute remote code. Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative kdot working with Trend Micro's Zero Day Initiative Addressed a potential issue where the application could be exposed to a Font Parsing Out-of-Bounds Read vulnerability, which could lead to information disclosure. kdot working with Trend Micro's Zero Day Initiative Addressed potential issues where the application could be exposed to an Out-of-Bounds Read or Memory Corruption vulnerability when converting JPEG or TIFF files to PDFs, which could be exploited by attackers to execute remote code or leak information. Ke Liu of Tencent's Xuanwu LAB working with Trend Micro's Zero Day Initiative Juan Pablo Lopez Yacubian working with Trend Micro's Zero Day Initiative For more information, please contact the Foxit Security Response Team at security-ml@foxitsoftware.com. ________ Security updates available in Foxit Reader for Linux 2.3 Release date: January 10, 2017 Platform: Linux Summary Foxit has released Foxit Reader for Linux 2.3, which address potential security and stability issues. Affected versions Product Affected versions Platform Foxit Reader 2.2.1025 and earlier Linux Solution Update your applications to the latest versions by following one of the instructions below. From the “Help” tab of Foxit Reader, click on “Check for Updates Now” and update to the latest version. Click here to download the updated version of Foxit Reader from our website. Vulnerability details Brief Acknowledgement Addressed a potential issue where the application could be exposed to a stack overflow vulnerability, which could be exploited by attackers to execute a controlled crash. Dmitri Kaslov For more information, please contact the Foxit Security Response Team at security-ml@foxitsoftware.com. ___________ Security updates available in Foxit PDF Toolkit 2.0 Release date: January 10, 2017 Platform: Windows Summary Foxit has released Foxit PDF Toolkit 2.0, which addresses a potential security issue. Affected versions Product Affected versions Platform Foxit PDF Toolkit 1.3 Windows Solution Update Foxit PDF Toolkit to the latest version by clicking here to download it from our website. Note that purchasing a license may be necessary to use Foxit PDF Toolkit beyond the trial period. Vulnerability details Brief Acknowledgement Addressed a potential issue where the application could be exposed to a memory corruption vulnerability when parsing PDF files, which could cause remote code execution. Kushal Arvind Shah of Fortinet's FortiGuard Labs ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================