Foxit PDF viewer open to attack, say researchers
Unlike Adobe Reader, patch for free Foxit is available now
Computerworld - Security researchers today warned of several vulnerabilities in Foxit, a free PDF document viewer that has been recommended as an alternative to Adobe Reader, which currently contains an unpatched critical bug of its own.
Foxit Software Co. patched its namesake today to plug three holes.
One of the three vulnerabilities is in the same JBIG2 image compression format fingered by researchers last month as the root of the bug in Adobe System Inc.'s popular Reader and Acrobat applications. The flaw in Adobe's software, which has been exploited by hackers since at least early January, will not be patched until Wednesday, according to Adobe's schedule.
The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia, the Danish company that reported the flaw to Foxit. "It is a completely different vulnerability related to JBIG2," Kristensen said in an e-mail today.
It was Adobe's confirmation of its bug that prompted Secunia researchers to dig into other PDF viewers. "We did, however, start the research in Foxit out of curiosity based on the Adobe vulnerability, and discovered this new vulnerability," Kristensen said. Secunia reported the bug to Foxit on Feb. 27.
Kristensen declined to offer more information on the Foxit flaw, or the path that Secunia researchers took in finding it.
The remaining two bugs in Foxit were reported Feb. 18 by Core Security Technologies, a developer of penetration testing software. One of the vulnerabilities can trigger a buffer overflow, while the other could be used by attackers to circumvent security warnings.
Foxit has posted patched versions of Foxit 3.0 and Foxit 2.3 on its Web site.
Adobe plans to patch Version 9 of Reader and Acrobat March 11, and Versions 7 and 8 of the applications on March 18.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts