Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Executive summary

Cisco Talos recently discovered multiple vulnerabilities in Foxit PDF Reader’s JavaScript engine. Foxit PDF Reader is a commonly used PDF reader that contains many features, including the support of JavaScript, which allows it to support interactive documents and dynamic forms. An adversary could take advantage of this JavaScript functionality, sending the victim a specially crafted file to trigger several different vulnerabilities.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Foxit to disclose these vulnerabilities and ensure that an update is available.

Vulnerability details

Foxit Reader JavaScript media openPlayer type confusion vulnerability (TALOS-2020-1165/CVE-2020-13547)

A type confusion vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger an improper use of an object, resulting in memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

For more information on this vulnerability, read the complete advisory here.

There are also four Four use-after-free vulnerabilities. A specially crafted PDF document can trigger the reuse of previously free memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. For more information on these, check out their respective advisories.

• TALOS-2020-1166
• TALOS-2020-1171
• TALOS-2020-1175
• TALOS-2020-1181

Versions tested

Talos tested and confirmed that these vulnerabilities affect Foxit PDF Reader, version 10.1.0.37527.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51949, 51950, 56053, 56054, 56063 - 56066, 56122, 56123