==================================================================== CERT-Renater Note d'Information No. 2020/VULN678 _____________________________________________________________________ DATE : 10/12/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Foxit Reader, Foxit PhantomPDF versions prior to 10.1.1. ===================================================================== https://www.foxitsoftware.com/support/security-bulletins.html _____________________________________________________________________ Security updates available in Foxit Reader 10.1.1 and Foxit PhantomPDF 10.1.1 Release date: December 9, 2020 Platform: Windows Summary Foxit has released Foxit Reader 10.1.1 and Foxit PhantomPDF 10.1.1, which address potential security and stability issues. Affected versions Product Affected versions Platform Foxit Reader 10.1.0.37527 and earlier Windows Foxit PhantomPDF 10.1.0.37527 and earlier Windows Solution Update your applications to the latest versions by following one of the methods below. From the “Help” tab of Foxit Reader or Foxit PhantomPDF, click on “Check for Updates” and update to the latest version. Click here to download the updated version of Foxit Reader from our website. Click here to download the updated version of Foxit PhantomPDF from our website. Vulnerability details Brief Acknowledgement Addressed a potential issue where the application could be exposed to Out-of-Bounds Write Remote Code Execution vulnerability and crash while processing certain XFA templates. This occurs during the process of modifying control attributes and appending nodes as the application fails to validate and uses certain type of object that is explicitly converted from a wrong layout object created by the appended template node (ZDI-CAN-11727). Anonymous working with Trend Micro Zero Day Initiative Addressed a potential issue where the application could be exposed to Evil Annotation Attack and deliver incorrect validation results when validating certain certified PDF files whose visible content was significantly altered. This occurs as the application fails to identify the objects in the incremental update when the Subtype entry of the Annotation dictionary is set as null. Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Jorg Schwenk Addressed a potential issue where the application could be exposed to Type Confusion Memory Corruption or Remote Code Execution vulnerability and crash due to the lack of proper validation when an incorrect argument was passed to the app.media.openPlayer function defined in PDF JavaScript API (CVE-2020-13547). Aleksandar Nikolic of Cisco Talos Addressed potential issues where the application could be exposed to Use-After-Free Remote Code Execution vulnerability and crash when executing certain JavaScript in a PDF file. This occurs due to the access or use of pointer or object that has been removed after calling certain JavaScript functions (CVE-2020-13548/CVE-2020-13557/CVE-2020-13560/CVE-2020-13570). Aleksandar Nikolic of Cisco Talos Addressed a potential issue where the application could be exposed to Denial of Service vulnerability and crash when opening certain PDF files that contained illegal value in the /Size entry of the Trail dictionary. This occurs due to the array overflow as the illegal value in the /Size entry causes an error in initializing the array size for storing the compression object streams, and an object number which is larger than the initialization value is used as the array index while parsing the cross-reference streams (CVE-2020-28203). Sanjeev Das (IBM Research) For more information, please contact the Foxit Security Response Team at [email protected]. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================