"Foxit Patches Several Code Execution Vulnerabilities in PDF Reader"

Popular PDF document reader Foxit Reader has recently been updated to address multiple use-after-free security bugs that could be exploited for arbitrary code execution.  This week, Cisco’s Talos security researchers published information on four vulnerabilities in Foxit Reader’s JavaScript engine that could be exploited to achieve arbitrary code execution.  The issues tracked as CVE-2022-32774, CVE-2022-38097, CVE-2022-37332, and CVE-2022-40129, have a CVSS score of 8.8 and are described as use-after-free vulnerabilities.  The researchers noted that a specially crafted PDF document could trigger the reuse of previously freed memory, which can lead to arbitrary code execution.  The researchers stated that an attacker looking to exploit these vulnerabilities would need to trick a user into opening a malicious file.  According to the researchers, if the Foxit browser plugin extension is enabled, the bugs can be triggered when the user navigates to a malicious website.  The researchers reported the security defects to Foxit in September.  This week, Foxit released version 12.0.1.12430 of its PDF reader to address all issues.  Users are advised to update to the latest software iteration as soon as possible.

SecurityWeek reports: "Foxit Patches Several Code Execution Vulnerabilities in PDF Reader"