Foxit PDF viewer also open to attack, say researchers

Unlike Adobe Reader, patch for free Foxit is available now

Security researchers Monday warned of several vulnerabilities in Foxit, a free PDF document viewer that many have recommended as an alternative to Adobe Reader, which currently contains an unpatched critical bug of its own.

Foxit Software patched its namesake Monday to plug three holes.

One of the three vulnerabilities was in the same JBIG2 image compression format fingered by researchers last month as the root of the bug in Adobe System's popular Reader and Acrobat applications. The flaw in Adobe's software, which has been exploited by hackers since at least early January, will not be patched until Wednesday, according to Adobe's schedule.

The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit. "It is a completely different vulnerability related to JBIG2," Kristensen said in an e-mail Monday.

It was Adobe's confirmation of its bug that prompted Secunia researchers to dig into other PDF viewers. "We did, however, start the research in Foxit out of curiosity based on the Adobe vulnerability, and discovered this new vulnerability," Kristensen said. Secunia reported the bug to Foxit on February 27.

Kristensen declined to offer more information on the Foxit flaw, or the patch that Secunia researchers took in finding it.

The remained two bugs in Foxit were reported February 18 by Core Security Technologies, a developer of penetration testing software. One of the vulnerabilities can trigger a buffer overflow, while the other could be used by attackers to circumvent security warnings.

Foxit has posted patched versions of Foxit 3.0 and Foxit 2.3 on its Web site.

Ironically, some experts have urged users to discard Adobe Reader for Foxit or other free PDF viewing applications. For its part, Adobe has recommended that users disable JavaScript capabilities in the Reader and Acrobat until a patch is available. Even so, last week a Belgian researcher released proof-of-concept attack code that doesn't rely on JavaScript, and can trigger the bug without requiring the user to actually open a malformed PDF.

Adobe plans to patch Version 9 of Reader and Acrobat March 11, and Versions 7 and 8 of the applications on March 18.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags pdf bug

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?