Foxit Reader 5.4 fixes DLL hijacking vulnerability
The recent 5.4 release of Foxit Software's proprietary PDF Reader addresses a DLL hijacking vulnerability that could be exploited by an attacker to compromise a victim's system. According to the company, previous versions of its software contained a security hole that allowed it to call and execute malicious code stored in an infected Dynamic Link Library (DLL) file.
For an attack to be successful, a victim must first open a PDF file in the same directory as a specially crafted version of a system DLL file. This could occur, for example, when an attacker publishes a PDF file on a WebDAV or SMB share and places the crafted DLL in the same shared folder. When the file is opened, Foxit is loaded and begins to load system libraries, but because of a programming oversight, it will first look for some of these libraries in the directory it loaded the PDF from. So a malicious DLL with the same name as a system library that is searched for can inject itself into the application and have its code executed.
Versions up to and including Foxit Reader 5.3.1.0606 are affected. The company credits Remy Brands with discovering the issue on 24 August. While Foxit notes that it corrected the problem just two days later, it only released Foxit Reader 5.4, which contains the fix, on 6 September.
Further information about the 5.4 update, including a list of new features, can be found in the release announcement. Foxit Reader 5.4 is available to download from the company's site; existing users can upgrade to the new version by selecting the "Check for Updates Now" option under the Reader help menu.
- Fixed an issue where Foxit Reader may call and run malicious code in the DLL file, security advisory from Foxit Software.