Foxit Reader Multiple Vulnerabilities

[PhilB66]

Read about it @ http://msmvps.com/bl...vulnerabilities.aspx

Foxit released an update... so what are you waiting for... 

[bgd77]

Thanks for pointing this out! 

[Deozaan]

This was also briefly mentioned by xtabber in the Acrobat bug can lead to malware installs without even opening an infected file thread.

EDIT: It was mentioned in the Acrobat thread because Foxit had the same vulnerability. So if you didn't know about it then maybe you should also read the other thread as well.

[f0dder]

Nice to have a separate thread about it, though - foxit users might not have read through the Acrobat-bug thread very carefully

[Deozaan]

Nice to have a separate thread about it, though - foxit users might not have read through the Acrobat-bug thread very carefully

-f0dder (March 10, 2009, 03:03 AM)

Good point. I edited my post to clarify that point.

[Nod5]

Thanks for pointing this out. I had missed it. Thought it was an Acrobat only bug.

The onclear Foxit updates window doesn't help either. Mine reports these updates:

It is at first glance hard to tell which ones are important, which are trial versions and which are security related. I'm thinking that the less add-ons I install the less vulnerable will Foxit be. I'd prefer if there was a "show security updates only" filter.

[Josh]

Good thing I didn't make a quick switch due to vulnerabilities that were originally thought to be adobe only!

[CGA]

I've always liked PDF-XChange Viewer better.

[Deozaan]

Nod5: Not sure which of the updates are important in that list, but the one that fixed the vulnerability was underneath the "Reader Update" section.

[f0dder]

Good thing I didn't make a quick switch due to vulnerabilities that were originally thought to be adobe only!

-Josh (March 10, 2009, 04:04 PM)

Fortunately, foxit will likely just crash if presented with a code-execution-exploit made for Adobe Reader - and AR is going to be the target because of marketshare.

I'd definitely get the JPEG2000/JBIG2 codec update, since it's apparently a flaw in the JBIG2 (using this library?) that's exploited this time (for both FR, AR, et cetera). (Or perhaps you weren't vulnerable at all if you didn't have JBIG2 support installed? )

[Nod5]

Deozaan: yes I updated on another machine and noticed that this time. So the updater layout was a bit better than I first thought. The "Reader Update" above is just a category, not an update in itself. So the it is pretty clear that there are no more updates in the image above. But still a bit messy. BTW, I think it makes sense for every updater for every program to very sharply distinguish security updates from other updates. Larger font, bold, color, blinking letters, whatever - just declare loud and clear either that there are security updates available or that there are no security updates available. Users should never have to sift through various other add-ons etc to find out the security update status.

f0dder: yeah, I'm hoping that not installing the add-on will prevent the exploit in the first place. But I installed the security update anyway of course.