Foxit PDF viewer open to attack, say researchers
Unlike Adobe Reader, patch for free Foxit is available now
Computerworld - Security researchers today warned of several vulnerabilities in Foxit, a free PDF document viewer that has been recommended as an alternative to Adobe Reader, which currently contains an unpatched critical bug of its own.
Foxit Software Co. patched its namesake today to plug three holes.
One of the three vulnerabilities is in the same JBIG2 image compression format fingered by researchers last month as the root of the bug in Adobe System Inc.'s popular Reader and Acrobat applications. The flaw in Adobe's software, which has been exploited by hackers since at least early January, will not be patched until Wednesday, according to Adobe's schedule.
The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia, the Danish company that reported the flaw to Foxit. "It is a completely different vulnerability related to JBIG2," Kristensen said in an e-mail today.
It was Adobe's confirmation of its bug that prompted Secunia researchers to dig into other PDF viewers. "We did, however, start the research in Foxit out of curiosity based on the Adobe vulnerability, and discovered this new vulnerability," Kristensen said. Secunia reported the bug to Foxit on Feb. 27.
Kristensen declined to offer more information on the Foxit flaw, or the path that Secunia researchers took in finding it.
The remaining two bugs in Foxit were reported Feb. 18 by Core Security Technologies, a developer of penetration testing software. One of the vulnerabilities can trigger a buffer overflow, while the other could be used by attackers to circumvent security warnings.
Foxit has posted patched versions of Foxit 3.0 and Foxit 2.3 on its Web site.
Adobe plans to patch Version 9 of Reader and Acrobat March 11, and Versions 7 and 8 of the applications on March 18.
Read more about Security in Computerworld's Security Topic Center.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!