Critical hole closed in Foxit Reader
As previously announced, Foxit Software has now released version 4.1.1.0805 of its Reader product, closing a critical hole in its PDF reader application that could allow for arbitrary code to be injected into a system. The vulnerability was shown to exist when it was exploited by the JailbreakMe.com web site. The site uses a specially crafted PDF document to jailbreak Apple's iPhone (3G, 3GS and 4), iPod Touch (four generations) and iPad without the use of a PC. Jailbreaking gets around Apple's restrictions on what applications can be installed on the Apple devices.
The hole appears to be contained in the open source FreeType2 library used by Foxit Reader and the PDF readers of iOS devices use to display fonts. Apple has not yet released an update but is said to be working on one. Red Hat has already responded by updating its FreeType packages. As the FreeType library is in widespread use, other vendors are likely to release their own updates soon.
- Security Release - Foxit Reader 4.1.1.0805, press release from Foxit Software.