Vulnerabilities in several PDF applications

Security holes in numerous PDF applications allow attackers to infect systems with malware. When loading and unloading certain COM objects, for instance, the Foxit plug-in (npFoxitReaderPlugin.dll) for the Firefox web browser under Windows causes a memory leak that can potentially be exploited for injecting and executing code via specially crafted web pages. The flaw was discovered in version 3.1.1.0928 and has also been confirmed to exist in the current version 3.1.2.1013 of Foxit Reader (with Firefox 3.5.3 ). A similar bug that affected the loading of objects was recently fixed in Adobe Reader. So far, no updates have been made available for Foxit Reader.

Developers have also released a patch for the free Xpdf PDF reader that fixes four security problems in version 3.02. Exploits for a buffer overflow and a null pointer dereference hole are already in circulation. Problems in Xpdf usually cause a whole string of vulnerabilities in other applications that are based on its code, for example poppler, CUPS , Gpdf and KPDF.

In CUPS, the holes were reportedly closed in the official version 1.4.1. Currently, no official updates have been released for KPDF, poppler or gpdf. However, Linux distributor Red Hat has already released new packages for these applications, and other distributors are likely to follow soon. As always, users are advised to treat unsolicited PDF documents with caution and open them in an alternative PDF reader until the relevant updates have become available.

See also:

• Xpdf - Integer overflow which causes heap overflow and NULL pointer dereference, security advisory from Adam Zabrocki.
• Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox, Full Disclosure mailing list post.
• kdegraphics security update, security advisory from Red Hat.
• Adobe closes 29 vulnerabilities in Acrobat and Reader, a report from The H.

(crve)