==================================================================== CERT-Renater Note d'Information No. 2018/VULN307 _____________________________________________________________________ DATE : 03/10/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Foxit Reader, Foxit PhantomPDF versions prior to 9.3. ===================================================================== https://www.foxitsoftware.com/support/security-bulletins.php _____________________________________________________________________ Security updates available in Foxit Reader 9.3 and Foxit PhantomPDF 9.3 Release date: September 28, 2018 Platform: Windows Summary Foxit has released Foxit Reader 9.3 and Foxit PhantomPDF 9.3, which address potential security and stability issues. Affected versions Product Affected versions Platform Foxit Reader 9.2.0.9297 and earlier Windows Foxit PhantomPDF 9.2.0.9297 and earlier Windows Solution Update your applications to the latest versions by following one of the instructions below. From the “Help” tab of Foxit Reader or Foxit PhantomPDF, click on “Check for Updates” and update to the latest version. Click here to download the updated version of Foxit Reader from our website. Click here to download the updated version of Foxit PhantomPDF from our website. Vulnerability details Brief Acknowledgement Addressed potential issues where the application could be exposed to Out-of-Bounds Access/Write/Read or Use-After-Free vulnerability and crash when parsing non-integer strings during the conversion of HTML files to PDFs, which could be exploited by attackers to execute remote code (ZDI-CAN-6230/ZDI-CAN-7128/ZDI-CAN-7129/ZDI-CAN-7130/ZDI-CAN-7131/ZDI-CAN-7132). bit - MeePwn team working with Trend Micro's Zero Day Initiative Anonymous working with Trend Micro's Zero Day Initiative Addressed potential issues where the application could be exposed to Use-After-Free Remote Code Execution or Out-of-Bounds Read Information Disclosure vulnerability and crash. This occurs when executing certain JavaScript due to the use of document and its auxiliary objects which have been closed after calling closeDoc function (ZDI-CAN-6333/ZDI- CAN-6334/ZDI-CAN-6335/ZDI-CAN-6336/ZDI-CAN-6352/ZDI-CAN-6353/ZDI- CAN-6355/ZDI-CAN-6434/ZDI-CAN-6435/ZDI-CAN-6435/ZDI-CAN-6354/CVE- 2018-3940/CVE-2018-3941/CVE-2018-3942/CVE-2018-3943/CVE-2018-3944 /CVE-2018-3945/CVE-2018-3946/CVE-2018-3957/CVE-2018-3962/CVE-2018-3958 /CVE-2018-3959/CVE-2018-3960/CVE-2018-3961/CVE-2018-3964/CVE-2018-3965 /CVE-2018-3966/CVE-2018-3967/ZDI-CAN-6439/ZDI-CAN-6455/ZDI-CAN-6471/ZDI- CAN-6472/ZDI-CAN-6473/ZDI-CAN-6474/ZDI-CAN-6475/ZDI-CAN-6477/ZDI- CAN-6478/ZDI-CAN-6479/ZDI-CAN-6480/ZDI-CAN-6481/ZDI-CAN-6482/ZDI- CAN-6483/ZDI-CAN-6484/ZDI-CAN-6485/ZDI-CAN-6486/ZDI-CAN-6487/ZDI- CAN-6501/ZDI-CAN-6502/ZDI-CAN-6503/ZDI-CAN-6504/ZDI-CAN-6505/ZDI- CAN-6506/ZDI-CAN-6507/ZDI-CAN-6509/ZDI-CAN-6511/ ZDI-CAN-6512/ZDI- CAN-6513/ZDI-CAN-6514/ZDI-CAN-6517/ZDI-CAN-6518/ZDI-CAN-6519/ZDI- CAN-6520/ZDI-CAN-6521/ZDI-CAN-6522/ZDI-CAN-6523/ZDI-CAN-6524/ ZDI-CAN- 6817/ZDI-CAN-6848/ZDI-CAN-6849/ZDI-CAN-6850/ZDI-CAN-6851/ZDI-CAN-6915 /ZDI-CAN-7141/ZDI-CAN-7163/ZDI-CAN-6470/ZDI-CAN-7103/ZDI-CAN-7138/ZDI- CAN-7169/ZDI-CAN-7170/CVE-2018-3993/CVE-2018-3994/CVE-2018-3995 /CVE-2018-3996/CVE-2018-3997/ZDI-CAN-7067/CVE-2018-16291/CVE-2018-16293 /CVE-2018-16295/CVE-2018-16296/CVE-2018-16297/CVE-2018-16294 /CVE-2018-16292/ZDI-CAN-7253/ZDI-CAN-7252/ZDI-CAN-7254/ZDI-CAN-7255). Steven Seeley (mr_me) of Source Incite working with Trend Micro's Zero Day Initiative Aleksandar Nikolic of Cisco Talos Esteban Ruiz (mr_me) of Source Incite working with Trend Micro's Zero Day Initiative Anonymous working with Trend Micro's Zero Day Initiative Abago Forgans working with Trend Micro's Zero Day Initiative Mat Powell of Trend Micro Zero Day Initiative Kamlapati Choubey working with Trend Micro's Zero Day Initiative ManchurianClassmate from 360 Yunying Labs Addressed potential issues where the application could be exposed to Use-After-Free Remote Code Execution vulnerability when opening a malicious file. This occurs because a dialog box pops up repeatedly, which prevents the application to be closed (ZDI-CAN-6438/ZDI-CAN-6458). Esteban Ruiz (mr_me) of Source Incite working with Trend Micro's Zero Day Initiative Addressed a potential issue where the application could be exposed to Use-After-Free Remote Code Execution vulnerability due to the use of objects which have been deleted or closed (ZDI-CAN-6614/ZDI-CAN-6616). Anonymous working with Trend Micro's Zero Day Initiative Addressed a potential issue where the application could be exposed to Use-After-Free Remote Code Execution vulnerability and crash. This occurs due to the use of a control object after is has been deleted within static XFA layout, or the access of a wild pointer resulting from a deleted object after XFA re-layout (ZDI-CAN-6500/ZDI-CAN-6700). Anonymous working with Trend Micro's Zero Day Initiative Addressed potential issues where the application could be exposed to Use-After-Free Remote Code Execution vulnerability when handing certain properties of Annotation objects due to the use of freed objects (ZDI-CAN-6498/ZDI-CAN-6499/ZDI-CAN-6820/ZDI-CAN-6845/ ZDI-CAN-7157). Kamlapati Choubey of Trend Micro Security Research working with Trend Micro's Zero Day Initiative Sooraj K S (@soorajks) Anonymous working with Trend Micro's Zero Day Initiative Addressed potential issues where the application could be exposed to Use-After-Free Remote Code Execution vulnerability and crash when processing malicious PDF documents or certain properties of a PDF form. This occurs because the application continues to set value for the field object after it has been removed (ZDI-CAN-6890/ZDI-CAN-7068/ZDI-CAN- 7069/ZDI-CAN-7070/ZDI-CAN-7145). Anonymous working with Trend Micro's Zero Day Initiative Addressed a potential issue where the application could be exposed to Uninitialized Object Information Disclosure vulnerability since there exists an uninitialized object when creating ArrayBuffer and DataView objects (CVE-2018-17781). Steven Seeley (mr_me) of Source Incite working with iDefense Labs Addressed a potential issue where the application could be exposed to Memory Corruption vulnerability when getting pageIndex object without an initial value (CVE-2018-3992). Abago Forgans Aleksandar Nikolic of Cisco Talos Addressed a potential issue where the application could be exposed to Out-of-Bounds Read Information Disclosure vulnerability when processing the Lower () method of a XFA object due to the abnormal data access resulting from the different definition of object character length in WideString and ByteString (ZDI-CAN-6617). Anonymous working with Trend Micro's Zero Day Initiative Addressed a potential issue where the application could be exposed to Type Confusion Remote Code Execution vulnerability due to the use of a null pointer without validation (ZDI-CAN-6819). Anonymous working with Trend Micro's Zero Day Initiative Addressed a potential issue where the application could be exposed to Out-of-Bounds Read information Disclosure vulnerability and crash when parsing certain BMP images due to the access of invalid address (ZDI-CAN-6844). kdot working with Trend Micro's Zero Day Initiative Addressed a potential issue where the application could be exposed to Out-of-Bounds Read Information Disclosure vulnerability when processing a PDF file which contains non-standard signatures. This issue results from the lack of proper validation when getting null value within the obtaining of signature information using OpenSSL as the written signature information is incorrect (ZDI-CAN-7073). Sebastian Feldmann from GoSecure working with Trend Micro's Zero Day Initiative For more information, please contact the Foxit Security Response Team at security-ml@foxitsoftware.com. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================