Foxit PDF Editor and Reader: Attacks via prepared PDF files possible

Attackers can attack systems on which Foxit PDF Editor or Reader is installed due to vulnerabilities in the software. For a successful attack, however, victims must open PDF files containing malicious code.

Security problems

The security section of the Foxit website shows that PDF files can be manipulated with interactive forms according to the XML Forms Architecture (XFA) standard. How this can be done in detail is currently unknown.

If attackers get victims to open such a file, the processing of the XFA elements leads to errors and attackers can execute their own commands in the system, among other things. In the context of this problem, the developers do not mention any CVE numbers. Consequently, a standardized classification of the risk is currently not possible.

Malicious code attacks possible?

Manipulation of PDF forms with AcroForms elements is also conceivable. Opening such a file leads to memory errors and crashes. As a rule, malicious code can also be executed in such a case. The threat level of the vulnerabilities (CVE-2024-49576, CVE-2024-47810) has not yet been classified.

Attackers can also gain higher user rights and execute code with system rights. To do this, they have to inject victims with a specially prepared DLL file in an unspecified way.

The developers state that they have prepared the following versions under macOS and Windows against the attacks described. All previous versions are said to be vulnerable. As a rule, the applications automatically search for new versions. Alternatively, you can manually initiate an update under "Help" – "About Foxit PDF Reader". However, you should make sure that the 14-day trial version of Foxit PDF Editor is not also installed. The field for this is preselected.

• Foxit PDF Editor 2024.4/13.1.5, 12.1.9/11.2.12, 12.1.7/11.1.11
• Foxit Reader 2024.4

(des)