Foxit Security Bulletins

At Foxit, prompt response to software defects and security holes has always been, and will continue to be a top priority of its product service. Acknowledging software defects and security holes are inevitable and Foxit treats the mission-critical defects and security issues very seriously. Foxit has published all the historic security issues on its website and keeps tracking on the potential security issues on daily basis. Even though its known security issue list is much shorter compared to the other competitors due to the robustness of its software products, Foxit has always planned ahead for the unexpected.
In our effort to serve you best, please click here to report a potential security vulnerability.

Brief Originally Posted Release Date
Fixed a security issue where applications built on Foxit PDF SDK ActiveX may be exposed toBuffer Overflow when invoking “SetLogFile ()” method. Sep. 6, 2014 Sep. 29, 2014
Fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page. May 24,2014 July 1,2014
Fixed a security issue where applications built on Foxit PDF SDK DLL may be exposed to Buffer Overflow Remote Code Execution Vulnerability when invoking “FPDFBookmark_GetTitle()” method. Apr. 17, 2014 May 9, 2014
Fixed a security issue where Foxit Reader tried to load imgseg.dll, which could be exploited. Feb.12, 2014 Feb.19, 2014
Fixed a security issue where attackers can exploit a web browser plugin vulnerability to execute arbitrary code. Jan. 8, 2013 Jan. 17, 2013
Fixed a security issue where hackers can run arbitrary code by repairing a STATUS_STACK_BUFFER_OVERRUN exception. Dec. 11, 2012 Jan. 14, 2013
Fixed a security issue where the insecure application loading libraries could be exploited to attack the application. Sep. 10, 2012 Sep. 26, 2012
Fixed an issue where Foxit Reader may call and run malicious code in the Dynamic Link Library (DLL) file. Aug. 24, 2012 Sep. 6, 2012
Fixed an issue where users cannot open the attachments of PDF files in XP and Windows7. Apr. 12, 2012 May 3, 2012
Fixed an issue when opening certain PDF files. Nov. 09, 2011 Dec. 07, 2011
Fixed a security issue of arbitrary code execution when opening certain PDF files. June 11, 2011 July 21, 2011
Fixed an issue of Foxit Reader when opening certain PDF files in a web browser. June 20, 2011 July 21, 2011
Fixed an issue of Foxit Reader when opening some affected PDF files. Apr. 18, 2011 May 26, 2011
Fixed an issue of the Foxit Reader software that is caused by illegal accessing memory. Feb. 15, 2011 Feb. 24, 2011
Fixed identity theft issue caused by the security flaw of the digital signature. Aug. 18, 2010 Sep. 29, 2010
Fixed the crash issue caused by the new iPhone/iPad jailbreak program. Aug. 04, 2010 Aug. 06, 2010
Fixed a numerical overflow in the freetype engine. Apr. 25, 2010 June 29, 2010
Authorization Bypass When Executing An Embedded Executable. Mar. 29, 2010 Apr. 1, 2010
Firefox Plugin Memory Corruption Vulnerability Fixed. Oct. 20, 2009 Nov. 17, 2009
Two Security Vulnerabilities Fixed in Foxit Reader 3.0 and JPEG2000/JBIG2 Decoder. June 2, 2009 June 19, 2009
JBIG2 Symbol Dictionary Processing in JPEG2000/JBIG Decoder add-on of Foxit Reader 2.3 and 3.0. Feb. 27, 2009 Mar. 9, 2009
Security Authorization Bypass in Foxit Reader 2.3 and 3.0. Feb. 18, 2009 Mar. 9, 2009
Stack-based Buffer Overflow in Foxit Reader 3.0. Feb. 18, 2009 Mar. 9, 2009

Fixed a security issue where applications built on Foxit PDF SDK ActiveX may be exposed to Buffer Overflow when invoking “SetLogFile ()” method.

SUMMARY
Foxit PDF SDK ActiveX 5.0.2.924 fixed a security issue where applications built on Foxit PDF SDK ActiveX may be exposed to Buffer Overflow when invoking “SetLogFile ()” method.

Affected Versions
Foxit PDF SDK ActiveX 2.3 to Foxit PDF ActiveX 5.0.1.820.

Fixed in Version
Foxit PDF SDK ActiveX 5.0.2.924

SOLUTION
Please contact our support team via support@foxitsoftware.com or 1-866-693-6948 (24/7) to upgrade to Foxit PDF SDK ActiveX 5.0.2.924.

SECURITY PROCESS
2014-09-06: Hewlett-Packard’s Zero Day Initiative (ZDI) found the issue;
2014-09-11: Foxit Security Response Team confirmed the issue;
2014-09-25: Foxit fixed the issue;
2014-09-29: Foxit released fixed version of Foxit PDF SDK ActiveX 5.0.2.924.

Fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page.

SUMMARY
Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, and Foxit PhantomPDF 6.2.1 fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page. Attackers could tamper with the registry entry and cause the application to load malicious files.

Affected Versions
Foxit Reader 6.2.0.0429 and earlier
Foxit Enterprise Reader 6.2.0.0429 and earlier
Foxit PhantomPDF 6.2.0.0429 and earlier

Fixed in Version
Foxit Reader 6.2.1
Foxit Enterprise Reader 6.2.1
Foxit PhantomPDF 6.2.1

SOLUTION
Please do one of the followings:

  • Please go to “Check for Update” from the “Help” menu of Foxit Reader, Foxit Enterprise Reader, or Foxit PhantomPDF to update to the latest version of Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, or Foxit PhantomPDF 6.2.1.
  • Click here to download the updated version of Foxit Reader.
  • Click here to download the updated version of Foxit Enterprise Reader.
  • Click here to download the updated version of Foxit PhantomPDF.

SECURITY PROCESS
2014-05-24: Bernardo Rodrigues found the issue;
2014-06-03: Foxit Security Response Team confirmed the issue;
2014-06-11: Foxit fixed the issue;
2014-07-01: Foxit released fixed version of Foxit Reader 6.2.1/Foxit Enterprise Reader 6.2.1/Foxit PhantomPDF 6.2.1.

Fixed a security issue where applications built on Foxit PDF SDK DLL may be exposed to Buffer Overflow Remote Code Execution Vulnerability when invoking “FPDFBookmark_GetTitle()” method.

SUMMARY
Foxit PDF SDK DLL 3.1.1.5005 fixed a security issue where applications built on Foxit PDF SDK DLL may be exposed to Buffer Overflow Remote Code Execution Vulnerability when invoking “FPDFBookmark_GetTitle()” method.

Affected Versions
Foxit PDF SDK DLL 3.1.1.2927 and earlier.

Fixed in Version
Foxit PDF SDK DLL 3.1.1.5005

SOLUTION
Please contact our support team via support@foxitsoftware.com or 1-866-693-6948 (24/7) to upgrade to Foxit PDF SDK DLL 3.1.1.5005.

SECURITY PROCESS
2014-04-17: Hewlett-Packard’s Zero Day Initiative (ZDI) found the issue;
2014-04-18: Foxit Security Response Team confirmed the issue;
2014-05-07: Foxit fixed the issue;
2014-05-09: Foxit released fixed version of Foxit PDF SDK DLL 3.1.1.5005.

Fixed a security issue where Foxit Reader tried to load imgseg.dll, which could be exploited.

SUMMARY
Foxit Reader 6.1.4 fixed a security issue where Foxit Reader tried to load imgseg.dll, which could be exploited. Attackers could place an insecure .dll file (whose name is the same as the plugin) in the execution directory, and then enable Foxit Reader to call the malicious file.

Affected Versions
Foxit Reader 6.1.2.1224

Fixed in Version
Foxit Reader 6.1.4

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" from Foxit Reader "Help" menu to update to the latest version of Foxit Reader 6.1.4.
  • Click here to download the updated version of Foxit Reader now.

SECURITY PROCESS
2014-2-12: Hossam Hosam found the issue;
2014-2-15: Foxit Security Response Team confirmed the issue;
2014-2-17: Foxit fixed the issue;
2014-2-19: Foxit released fixed version of Foxit Reader 6.1.4.

Fixed a security issue where attackers can exploit a web browser plugin vulnerability to execute arbitrary code.

SUMMARY
Foxit Reader 5.4.5 and PhantomPDF 5.4.3 fixed a security issue where attackers can exploit a web browser plugin vulnerability to execute arbitrary code. The vulnerability is caused by a boundary error in the plugin for web browsers (npFoxitReaderPlugin.dll/npFoxitPhantomPDFPlugin.dll) when processing a URL and can be exploited to cause a stack-based buffer overflow via an overly long file name in the URL.

Affected Versions
Foxit Reader 5.4.4 and earlier;
Foxit PhantomPDF 5.4.2 and earlier.

Fixed in Version
Foxit Reader 5.4.5
Foxit PhantomPDF 5.4.3

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" from Foxit Reader/Foxit PhantomPDF "Help" menu to update to the latest version of Foxit Reader 5.4.5/Foxit PhantomPDF 5.4.3.
  • Click here to download the updated version of Foxit Reader now.
  • Click here to download the updated version of Foxit PhantomPDF now.

SECURITY PROCESS
2013-01-08: Secunia found the issue;
2013-01-11: Foxit Security Response Team confirmed the issue;
2013-01-14: Foxit fixed the issue and released fixed version of Firefox Plugin 2.2.3.111;
2013-01-17: Foxit released fixed version of Foxit Reader 5.4.5 to update Firefox Plugin 2.2.3.111;
2013-02-07: Foxit released fixed version of Foxit PhantomPDF 5.4.3 to update Firefox Plugin 2.2.3.111.

Fixed a security issue where hackers can run arbitrary code by repairing a STATUS_STACK_BUFFER_OVERRUN exception.

SUMMARY
Foxit Advanced PDF Editor 3.0.4.0 fixed a security issue where hackers can run arbitrary code by repairing a STATUS_STACK_BUFFER_OVERRUN exception. The STATUS_STACK_BUFFER_OVERRUN exception is triggered by certain PDFs (The PDFs had some errors which caused our parser to read a Name object which was longer than the maximum allowed length for a Name object.) when the security cookie protecting a return address has been tampered with. And hackers that are able to repair this security cookie may be able to use this crashing test case to run arbitrary code.

Affected Versions
Foxit Advanced PDF Editor 3.0.0.0

Fixed in Version
Foxit Advanced PDF Editor 3.0.4.0

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" from Reader "Help" menu to update to the latest version of 3.0.4.0
  • Click here to download the updated version now.

SECURITY PROCESS
2012-12-11: CERT Coordination Center found the issue;
2013-01-10: Foxit Security Response Team confirmed the issue;
2013-01-11: Foxit fixed the issue;
2013-01-14: Foxit released fixed version of Foxit Advanced PDF Editor 3.0.4.0.

Fixed a security issue where the insecure application loading libraries could be exploited to attack the application.

SUMMARY
Foxit Reader 5.4.3 fixed a security issue where the application loading libraries in an insecure manner could be exploited to execute arbitrary code to attack the application. An insecure .dll file may be placed in the execution directory or current directory and to create a PDF to cause an error.

Affected Versions
Foxit Reader 5.4.2.0901 and earlier.

Fixed in Version
Foxit Reader 5.4.3

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" from Reader "Help" menu to update to the latest version of 5.4.3
  • Click here to download the updated version now.

SECURITY PROCESS
2012-09-10: Parvez Anwar of Secunia SVCRP found the issue;
2012-09-11: Foxit Security Response Team confirmed the issue;
2012-09-25: Foxit fixed the issue;
2012-09-26: Foxit released fixed version of Foxit Reader 5.4.3.

Fixed an issue where Foxit Reader may call and run malicious code in the Dynamic Link Library (DLL) file.

SUMMARY
Foxit Reader 5.4 fixed an issue where Foxit Reader may call and run malicious code in the Dynamic Link Library (DLL) file. Attackers could place the infected DLL file, whose name is the same as the system DLL in the Windows prior search path, and then enable Foxit Reader to call the malicious file.

Affected Versions
Foxit Reader 5.3.1.0606 and earlier.

Fixed in Version
Foxit Reader 5.4

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.4
  • Click here to download the updated version now.

SECURITY PROCESS
2012-08-24: Remy Brands found the issue;
2012-08-25: Foxit Security Response Team confirmed the issue;
2012-08-26: Foxit fixed the issue;
2012-09-06: Foxit released fixed version of Foxit Reader 5.4.

Fixed an issue where users cannot open the attachments of PDF files in XP and Windows7.

SUMMARY
Foxit Reader 5.3 fixed an issue where users cannot open the attachments of PDF files in XP and Windows7. The reason of this issue is that the size of the cross-references flow is negative number.

Affected Versions
Foxit Reader 5.1.4.0104 and earlier.

Fixed in Version
Foxit Reader 5.3

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.3
  • Click here to download the updated version now.

SECURITY PROCESS
2012-04-12: John Leitch of Microsoft Vulnerability Research found the issue;
2012-04-12: Foxit Security Response Team confirmed the issue;
2012-04-12: Foxit fixed the issue;
2012-05-03: Foxit released fixed version of Foxit Reader 5.3.

Fixed an issue when opening certain PDF files.

SUMMARY
Foxit Reader 5.1.3 fixed an issue when opening certain PDF files. This issue was caused by the cross-border assignment of an array which may result in memory corruption vulnerabilities.

Affected Versions
Foxit Reader 5.1.0.1021 and earlier.

Fixed in Version
Foxit Reader 5.1.3

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.1.3
  • Click here to download the updated version now.

SECURITY PROCESS
2011-11-09: Alex Garbutt of iSEC Partners, Inc. found the issue;
2011-11-11: Foxit Security Response Team confirmed the issue;
2011-11-17: Foxit fixed the issue;
2011-12-07: Foxit released fixed version of Foxit Reader 5.1.3.

Fixed a security issue of arbitrary code execution when opening certain PDF files.

SUMMARY
Foxit Reader 5.0.2 fixed a security issue of arbitrary code execution when opening certain PDF files. This issue was caused by an Insecure Library Loading vulnerability which may enable the application to load malicious DLL files placed in the Reader's directory by a 3rd party.

Affected Versions
Foxit Reader 5.0 and earlier.

Fixed in Version
Foxit Reader 5.0.2

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.0.2
  • Click here to download the updated version now.

SECURITY PROCESS
2011-06-11: Rob Kraus of Security Consulting Services (SCS) found the issue;
2011-06-13: Foxit Security Response Team confirmed the issue;
2011-07-20: Foxit fixed the issue;
2011-07-21: Foxit released fixed version of Foxit Reader 5.0.2.

Fixed an issue of Foxit Reader when opening certain PDF files in a web browser.

SUMMARY
Foxit Reader 5.0.2 fixed an issue of Foxit Reader when opening certain PDF files in a web browser. The issue is caused by a memory boundary error which can be exploited to cause a heap-based buffer overflow.

Affected Versions
Foxit Reader 5.0 and earlier.

Fixed in Version
Foxit Reader 5.0.2

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.0.2
  • Click here to download the updated version now.

SECURITY PROCESS
2011-06-20: Dmitriy Pletnev of Secunia Research found the issue;
2011-06-24: Foxit Security Response Team confirmed the issue;
2011-07-20: Foxit fixed the issue;
2011-07-21: Foxit released fixed version of Foxit Reader 5.0.2.

Fixed an issue of Foxit Reader when opening some affected PDF files.

SUMMARY
Foxit PDF Reader 4.3.1.0218 had an issue of Foxit Reader when opening some affected files, which is fixed in Reader 5.0. This issue is caused by the memory corruption which could be exploited by viruses to attach or execute malicious code.

Affected Versions
Foxit Reader 4.3.1.0218 and earlier.

Fixed in Version
Foxit Reader 5.0

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.0
  • Click here to download the updated version now.

SECURITY PROCESS
2011-04-18: Brett Gervasoni of Sense of Security Pty Ltd found the issue;
2011-04-20: Foxit Security Response Team confirmed the issue;
2011-05-22: Foxit fixed the issue;
2011-05-26: Foxit released fixed version of Foxit Reader 5.0.

Fixed an issue of the Foxit Reader software that is caused by illegal accessing memory.

SUMMARY
Foxit PDF Reader 4.3.1.0218 fixed an issue of the Foxit Reader software that is caused by illegal accessing memory when opening some special PDF documents.

Affected Versions
Foxit Reader 4.3 and earlier.

Fixed in Version
Foxit Reader 4.3.1.0218

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 4.3.1.0218
  • Click here to download the updated version now.

SECURITY PROCESS
2011-02-15: Secunia Research found the issue;
2011-02-15: Foxit Security Response Team confirmed the issue;
2011-02-22: Foxit fixed the issue;
2011-02-24: Foxit released fixed version of Foxit Reader 4.3.1.0218.

Fixed identity theft issue caused by the security flaw of the digital signature.

SUMMARY
Foxit Reader 4.2 fixes the theft issue caused by the security flaw of the digital signature efficiently and better prevents the digital signature from being compromised and fiddled.

Affected Versions
Foxit Reader 4.1 and earlier.

Fixed in Version
Foxit Reader 4.2

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 4.2
  • Click here to download the updated version now.

SECURITY PROCESS
2010-08-18: Foxit found the issue;
2010-08-18: Foxit Security Response Team confirmed the issue;
2010-09-13: Foxit fixed the issue;
2010-09-29: Foxit released fixed version of Foxit Reader 4.2.

Fixed the crash issue caused by the new iPhone/iPad jailbreak program.

SUMMARY
Foxit Reader 4.1.1.0805 fixes the crash issue caused by the new iPhone/iPad jailbreak program efficiently and prevents the malicious attacks to your computer.

Affected Versions
Foxit Reader 4.0 and earlier.

Fixed in Version
Foxit Reader 4.1

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 4.1.1.0805
  • Click here to download the updated version now.

SECURITY PROCESS
2010-08-04: Foxit found the issue;
2010-08-04: Foxit Security Response Team confirmed the issue;
2010-08-05: Foxit fixed the issue;
2010-08-06: Foxit released fixed version of Foxit Reader 4.1.1.0805.

Fixed a numerical overflow in the freetype engine.

SUMMARY
Foxit Reader 4.0.0.0619 fixed an issue of Foxit Reader caused by the numerical overflow in the freetype engine when opening some PDF files. The reason of the overflow is that the type1 decoder in the freetype engine lacks of a numerical boundary checking.

Affected Versions
Foxit Reader 4.0 and earlier.

Fixed in Version
Foxit Reader 4.0.0.0619

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 4.0.0.0619
  • Click here to download the updated version now.

SECURITY PROCESS
2010-05-25: David Seidman of Microsoft and Microsoft Vulnerability Research (MSVR) found the issue;
2010-05-26: Foxit Security Response Team confirmed the issue;
2010-06-01: Foxit fixed the issue;
2010-06-29: Foxit released fixed version of Foxit Reader 4.0.0.0619.

Authorization Bypass When Executing An Embedded Executable.

SUMMARY
Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for user's permission.

AFFECTED SOFTWARE VERSION
Foxit Reader 3.2.0.0303.

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 3.2.1.0401
  • Click here to download the updated version now.

SECURITY PROCESS
2010-03-29: Didier Stevens found the issue;
2010-03-30: Foxit Security Response Team confirmed the issue;
2010-03-30: Foxit fixed the issue;
2010-04-01: Foxit released fixed version of Foxit Reader 3.2.1.0401.

Firefox Plugin Memory Corruption Vulnerability Fixed

SUMMARY
The vulnerability is caused due to an error in the Foxit Reader plugin for Firefox (npFoxitReaderPlugin.dll). This can be exploited to trigger a memory corruption by tricking a user into visiting a specially crafted web page which repeatedly loads and unloads the plugin.

AFFECTED SOFTWARE VERSION
Foxit Reader 3.1.2.1013 and Foxit Reader 3.1.2.1030

SOLUTION
Recommend all Foxit Reader users to please update Firefox Plgun to the latest version, which is available here: http://www.foxitsoftware.com/downloads/

SECURITY PROCESS
2009-10-20: Foxit found the issue and contacted Secunia for details immediately;
2009-10-22: Foxit confirmed issue;
2009-11-17: Foxit fixed the issue;
2009-11-17: Fix confirmed by Secunia;
2009-11-17: Foxit released Firefox Plugin 1.1.2009.1117

Two Security Vulnerabilities Fixed in Foxit Reader 3.0 and JPEG2000/JBIG2 Decoder

SUMMARY
Here is detailed information about the vulnerabilities:

  • Fixed a problem related to negative stream offset (in malicious JPEG2000 stream) which caused reading data from an out-of-bound address. We have added guard codes to solve this issue.
  • Fixed a problem related to error handling when decoding JPEG2000 header, an uncaught fatal error resulted a subsequent invalid address access. We added error handling code to terminate the decoding process.

AFFECTED SOFTWARE VERSION
Foxit Reader 3.0 and JPEG2000/JBIG2 Decoder add-on version 2.0.2009.303

SOLUTION
For Foxit Reader users, please download the latest Foxit Reader 3.0, and for the critical add-on of JPEG 2000/JBIG2 decoder, please go to "Check for Updates Now" located in the Reader help menu to update the add-on to the latest version 2.0 Build 2009.616.

SECURITY PROCESS
2009-06-02: Foxit received report from CERT;
2009-06-03: Foxit confirmed issues;
2009-06-09: Foxit fixed the issues;
2009-06-19: Foxit released fixed version of Foxit Reader 3.0 Build 1817 and JPEG2000/JBIG2 Decoder add-on version 2.0 Build 2009.616.

Stack-based Buffer Overflow

SUMMARY
Foxit PDF files include actions associated with different triggers. If an action (Open/Execute a file, Open a web link, etc.) is defined in the PDF files with an overly long filename argument and the trigger condition is satisfied, it will cause a stack-based buffer overflow.

AFFECTED SOFTWARE VERSION
Foxit Reader 3.0.

SOLUTION
Recommend all Foxit Reader users to please update their Foxit Reader 3.0, available here: http://www.foxitsoftware.com/downloads/

SECURITY PROCESS
2009-02-18: Foxit received report from Foxit Security Response Team;
2009-02-19: Foxit confirmed issue;
2009-02-20: Foxit fixed the issue;
2009-02-28: Fix confirmed by Foxit Security Response Team;
2009-03-09: Foxit released fixed version 3.0 Build 1506.

Security Authorization Bypass

SUMMARY
If an action (Open/Execute a file, Open a web link, etc.) is defined in the PDF files and the trigger condition is satisfied, Foxit Reader will do the action defined by the creator of the PDF file without popping up a dialog box to confirm.

AFFECTED SOFTWARE VERSION
Foxit Reader 3.0 and Foxit Reader 2.3

SOLUTION
Recommend Foxit Reader users to update to Foxit Reader 3.0, and for those who keep using Foxit Reader 2.3 you can download the updated version, available here: http://www.foxitsoftware.com/downloads/

SECURITY PROCESS
2009-02-18: Foxit received report from Foxit Security Response Team;
2009-02-19: Foxit confirmed issue;
2009-02-20: Foxit fixed the issue;
2009-02-28: Fix confirmed by Foxit Security Response Team;
2009-03-09: Foxit released fixed version 3.0 Build 1506 and version 2.3 Build 3902.

JBIG2 Symbol Dictionary Processing

SUMMARY
While decoding a JBIG2 symbol dictionary segment, an array of 32-bit elements is allocated having a size equal to the number of exported symbols, but left uninitialised if the number of new symbols is zero. The array is later accessed and values from uninitialised memory are used as pointers when reading memory and performing calls.

AFFECTED SOFTWARE VERSION
JPEG2000/JBIG Decoder add-on version 2.0.2008.715 in Foxit Reader 3.0 and Foxit Reader 2.3

SOLUTION
For Foxit Reader users who have downloaded and used the JPEG2000/JBIG Decoder, please go to "Check for Updates Now" in Reader help menu to update the add-on to the latest version 2.0.2009.303 or click here to download the latest version 2.0.2009.303.

SECURITY PROCESS
2009-02-27: Foxit received report from Secunia;
2009-02-28: Foxit confirmed issue;
2009-03-04: Foxit fixed the issue;
2009-03-04: Fix confirmed by Secunia;
2009-03-09: Foxit released fixed version 2.0.2009.303

Ask Toolbar ToolbarSettings ActiveX Control Buffer Overflow
The ask.com toolbar Foxit is bundling, is not the same version as reported on secunia.com, and doesn't have the reported vulnerability.
Click here to check the related report on secunia.com.

Get Support

North America
1-866-693-6948
Asia
(Taiwan)
+886-2-2809-2969
(Japan)
+81-3-6721-8888
(Korea)
+82-2-522-8290

NEWSLETTER SIGN-UP
  • CONTACT FOXIT AT:
  • Sales
  • 1-866-680-3668
  • Support & General
  • 1-866-MYFOXIT or
    1-866-693-6948
  • JOIN THE CONVERSATION:

©2014 Foxit Software Incorporated. All rights reserved.