Foxit Reader Multiple Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Local Users Gain Elevated Privileges
|
SecurityTracker Alert ID: 1035295 |
SecurityTracker URL: http://securitytracker.com/id/1035295
|
CVE Reference:
CVE-2016-4059, CVE-2016-4060, CVE-2016-4061, CVE-2016-4062, CVE-2016-4063, CVE-2016-4064, CVE-2016-4065
(Links to External Site)
|
Updated: Apr 23 2016
|
Original Entry Date: Mar 16 2016
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.2.8.1124 and prior
|
Description:
Several vulnerabilities were reported in Foxit Reader. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A remote user can cause denial of service conditions on the target system.
A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
A use-after-free memory error may occur in Font Parsing.
A use-after-free memory error may occur in Global setPersistent.
A use-after-free memory error may occur in WillClose Action.
A use-after-free memory error may occur in Microsoft Windows Gdiplus GpRuntime::GpLock::GpLock.
Arbitrary code may be executed when opening specially crafted PDF file with images.
An integer overflow may occur in XFA FormCalc Replace.
An out-of-bounds memory read may occur in JBIG2.
A remote user can create a file with specially crafted images or image data that, when loaded by the target user, will cause the target user's application to crash.
The application does not safely load 'xpsp2res.dll' and 'phoneinfo.dll'. A local user can place a specially crafted DLL file on the target system. When the target user runs Foxit Reader, arbitrary code will be executed on the target system with the privileges of the target user.
|
Impact:
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can create content that, when loaded by the target user, will cause the target user's application to crash.
A local user can obtain elevated privileges on the target system.
|
Solution:
The vendor has issued a fix (7.3.0.0118) [in January 2016].
The vendor's advisory is available at:
https://www.foxitsoftware.com/support/security-bulletins.php#content-2016
|
Vendor URL: www.foxitsoftware.com/support/security-bulletins.php#content-2016 (Links to External Site)
|
Cause:
Access control error, Boundary error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|