Overview
Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available. Update to the current version of Foxit PDF Reader.Details
Vulnerabilities Discovered by Aleksandar NikolicTALOS-2017-0506
TALOS-2017-0506 / CVE-2017-14458 in an exploitable use-after-free vulnerability that exists specifically in the JavaScript engine of Foxit PDF Reader. When executing embedded JavaScript code, a document can be closed, which essentially frees up a lot of used objects, but the JavaScript can continue to execute. Taking advantage of this, a specially crafted PDF document can trigger a previously freed object in memory to be reused, which results in arbitrary code execution. There are a couple of different ways an adversary could leverage this attack, including tricking a user into opening a malicious PDF. Or, if the browser plugin is enabled, simply viewing the document on the internet could result in exploitation. Full details of the vulnerability can be found here.TALOS-2018-0525
TALOS-2018-0525 / CVE-2018-3842 results from an exploitable use of an uninitialized pointer in the Javascript engine in the Foxit PDF Reader that can result in remote code execution. A specially craft PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.TALOS-2018-0526
TALOS-2018-0526 / CVE-2018-3843 results from a type confusion vulnerability in the way Foxit PDF reader parses files with associated extensions. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.TALOS-2018-0532
TALOS-2018-0532 / CVE-2018-3850 is a use-after-free vulnerability that exists in the Javascript engine of the Foxit PDF Reader. This specific vulnerability lies in the 'this.xfa.clone()' method, which results in a use-after-free condition. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.TALOS-2018-0536
TALOS-2018-0536 / CVE-2018-3853 is a use-after-free vulnerability that exists in the JavaScript engine of the Foxit PDF Reader. The specific vulnerability lies in combinations of the 'createTemplate' and 'closeDoc' methods related to the JavaScript functionality of Foxit PDF Reader. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.Coverage
The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.Snort Rule: 45158-45159, 45608-45609, 45652-45653, 45715-45716, 45823-45824
Article Link: http://feedproxy.google.com/~r/feedburner/Talos/~3/M11jJsMzER8/multiple-vulns-foxit-pdf-reader.html