Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 11, 2016, 04:03:55 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Foxit Reader Multiple Vulnerabilities  (Read 3376 times)

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Foxit Reader Multiple Vulnerabilities
« on: March 09, 2009, 08:52:07 PM »
Read about it @ http://msmvps.com/bl...vulnerabilities.aspx

Foxit released an update... so what are you waiting for...  :D

bgd77

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 203
    • View Profile
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #1 on: March 10, 2009, 02:07:30 AM »
Thanks for pointing this out!  :up:

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,725
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #2 on: March 10, 2009, 02:36:55 AM »
This was also briefly mentioned by xtabber in the Acrobat bug can lead to malware installs without even opening an infected file thread.

EDIT: It was mentioned in the Acrobat thread because Foxit had the same vulnerability. So if you didn't know about it then maybe you should also read the other thread as well. :)

« Last Edit: March 10, 2009, 03:05:11 AM by Deozaan »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #3 on: March 10, 2009, 03:03:32 AM »
Nice to have a separate thread about it, though - foxit users might not have read through the Acrobat-bug thread very carefully :P
- carpe noctem

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,725
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #4 on: March 10, 2009, 03:05:37 AM »
Nice to have a separate thread about it, though - foxit users might not have read through the Acrobat-bug thread very carefully :P

Good point. I edited my post to clarify that point. :)


Nod5

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 858
    • View Profile
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #5 on: March 10, 2009, 02:18:03 PM »
Thanks for pointing this out. I had missed it. Thought it was an Acrobat only bug.

The onclear Foxit updates window doesn't help either. Mine reports these updates:
foxit.png
It is at first glance hard to tell which ones are important, which are trial versions and which are security related. I'm thinking that the less add-ons I install the less vulnerable will Foxit be. I'd prefer if there was a "show security updates only" filter.


« Last Edit: March 10, 2009, 02:19:39 PM by Nod5 »

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,398
    • View Profile
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #6 on: March 10, 2009, 04:04:02 PM »
Good thing I didn't make a quick switch due to vulnerabilities that were originally thought to be adobe only!

CGA

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #7 on: March 10, 2009, 04:32:40 PM »
I've always liked PDF-XChange Viewer better.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,725
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #8 on: March 10, 2009, 04:43:57 PM »
Nod5: Not sure which of the updates are important in that list, but the one that fixed the vulnerability was underneath the "Reader Update" section.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #9 on: March 10, 2009, 05:50:50 PM »
Good thing I didn't make a quick switch due to vulnerabilities that were originally thought to be adobe only!
Fortunately, foxit will likely just crash if presented with a code-execution-exploit made for Adobe Reader - and AR is going to be the target because of marketshare.

I'd definitely get the JPEG2000/JBIG2 codec update, since it's apparently a flaw in the JBIG2 (using this library?) that's exploited this time (for both FR, AR, et cetera). (Or perhaps you weren't vulnerable at all if you didn't have JBIG2 support installed? :))
- carpe noctem

Nod5

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 858
    • View Profile
    • Donate to Member
Re: Foxit Reader Multiple Vulnerabilities
« Reply #10 on: March 11, 2009, 01:36:09 PM »
Deozaan: yes I updated on another machine and noticed that this time. So the updater layout was a bit better than I first thought. The "Reader Update" above is just a category, not an update in itself. So the it is pretty clear that there are no more updates in the image above. But still a bit messy. BTW, I think it makes sense for every updater for every program to very sharply distinguish security updates from other updates. Larger font, bold, color, blinking letters, whatever - just declare loud and clear either that there are security updates available or that there are no security updates available. Users should never have to sift through various other add-ons etc to find out the security update status.

f0dder: yeah, I'm hoping that not installing the add-on will prevent the exploit in the first place. But I installed the security update anyway of course.