Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns • The Register


Windows and Mac users running Foxit’s popular PhantomPDF reader should update their installations to the latest version after the US CISA cybersecurity agency warned of a handful of high-severity product vulnerabilities.

In its latest regular threat report, CISA counted four CVSS v2 7.5-level vulns affecting PhantomPDF.

The software suite is widely used for manipulating PDFs, particularly by people who, for whatever reason, eschew Adobe’s products and pricing model.

Foxit has published updates for its software in both Windows and Apple Mac formats. Those readers running versions prior to 10.1 for Windows and version 4.1 for Mac ought to download and install them from Foxit’s website.

The four most recent vulns range from use-after-free snafus to out-of-bounds memory writes and read/write access violations.

Foxit’s patch notes stated, for one of the vulns: “Addressed a potential issue where the application could be exposed to Use-After-Free vulnerability and crash when executing JavaScript in certain AcroForm. This occurs due to the use of Opt object after it has been deleted by calling Field::ClearItems method while executing Field::DeleteOptions method.”

Under CVSS v3, the vulns were scored as 9.8, a critical score, though it is important to note that CVSS scores are generally a guide to the worst-case-scenario impact of a vuln if it is misused.

The Register has asked Foxit for comment.

Use-after-free vulns are where an application re-reads memory that has been reallocated by the host system to something else; a suitably prepared malicious person can insert code into the right memory area which could, in theory, be read by the application and executed.

Last year Foxit suffered a data security problem that saw “third parties” gain access to its users’ My Account area data. ®



Source link

Recent articles

Journalist murdered in Mexico, sixth this year: governor | Mexico

49-year-old journalist and television news show host, Arturo Alba Medina, was assassinated a few minutes after the end of his programme in Chihuahua...

FINKEL and UK Grime Artist Kamakaze Release ‘Bleach Vial’ Music Video

Indie/electronic duo FINKEL (Jane and Brian Spencer) released a track with UK Grime Artist Kamakaze; the song, Bleach Vial, is a commentary...

LEGO Technic: Lamborghini Sián FKP 37 Car Model for $325 + free shipping – CNET

LEGO Technic: Lamborghini Sián FKP 37 Car Model for $325 Source link

Maze Actors Square off Amid Speculation of Quitting | Cyware Alerts

The year 2020 has been an opportune time for threat actors due to the COVID-19 pandemic when several cyber threats have been observed...

PHOTOS: We’re Starting to See the First Signs of Christmas at Disney’s Animal Kingdom

Disney World’s about to get some big changes for the holiday season. And, our gingerbread-loving hearts have been on the look-out for new...

Do Dunkin’ and Arby’s Go Together? Private Equity Group Bets $11 Billion They Do

The takeover by Inspire is the second time that Dunkin’ will be owned by private equity. In recent years, the private equity owners...

Leave a reply

Please enter your comment!
Please enter your name here