Attackers could inject code into PDF and Reader with manipulated documents. Updated software closes the security gap.

IT security researchers have discovered numerous security gaps in Foxit PDF Editor and Foxit PDF Reader. They allow attackers to inject malicious code with carefully prepared documents or to disable the software. Updates fix the vulnerabilities.

- Advertisement -

Foxit lists a total of 23 vulnerabilities in the security alert – but only for the PDF Editor. Numerous vulnerabilities range from use-after-free or null pointer dereference to access outside the actual memory limits. These lead to the application crashing or the execution of injected code.

Also Foxit PDF Reader vulnerable

The details of the reports from the Zero Day Initiative, for example, contain indications that the vulnerabilities are also found in Foxit PDF Reader. However, Foxit has not yet released a security advisory for this software. It is therefore still unclear which version of Foxit PDF Reader is affected and whether the currently downloadable version on the download website already seals the vulnerabilities.

The errors relate to Foxit PDF Editor for Windows in version 11.2.2.53575 and all previous 11.x versions as well as the status 10.1.8.37795 and older versions. Foxit PDF Editor 11.2.3 is available for download and aims to iron out the security-related bugs. According to the manufacturer, this can also be done locally by calling up the menu item “Help” – “About Foxit PDF Editor” – “Check for updates” or for the older version 10 under “Help” – “Check for updates”.

The vulnerabilities often reach a high threat level, and vulnerabilities with a CVSS rating even have a CVSS value 8.8 included. Foxit users should therefore quickly check whether a software update is available for the version they are using and apply it quickly.

