A recently discovered critical vulnerability allowing arbitrary remote code execution in a browser plug-in component of PDF viewer application Foxit Reader has been patched, according to the vendor. The vulnerability was publicly disclosed on January 7 by independent security researcher Andrea Micalizzi, according to IDG News Service. Foxit announced January 17 that it had issued a patch.
“Foxit Reader 5.4.5 fixed a security issue where attackers can exploit a web browser plugin vulnerability to execute arbitrary code,” the company wrote in an advisory on its website. “The vulnerability is caused by a boundary error in the Foxit Reader plugin for web browsers (npFoxitReaderPlugin.dll) when processing a URL and can be exploited to cause a stack-based buffer overflow via an overly long file name in the URL.”
The vulnerable plug-in is automatically installed for Mozilla Firefox, Google Chrome and Safari web browsers, IDG News Services noted. Users can download the patch from the Reader menu or the Foxit website.
According to IDG, Foxit is often seen by security professionals as a more secure alternative to Adobe Reader and that the company advertises itself as “the most secure PDF reader” on its website. The vendor claims to have more than 130 million users.
While PDF exploits have become less common than they once were, they are still present in many web exploit toolkits, and hackers continue to use them on outdated versions of Adobe Reader, IDG reported. Attacks on Reader made up 28 percent of security incidents involving vulnerability exploits in 2012, according to researchers at Kaspersky Lab.
To limit these types of zero-day vulnerabilities and shore up software security credentials, developers may want to consider incorporating source code analysis tools into their coding process.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.
About the Author: Chris Bubinas
With over a decade spent in web process analysis and optimization I now manage the web presence and online marketing channels for Klocwork. I love to follow technology, privacy and security issues online and am a technology geek at heart. I will try to post interesting news and developments in the software security industry. Dovahkiin! Related Posts
-
Software security flaw lets iTunes users download pre-release streams
Fans eager to get their hands on the new album from acclaimed electronic music duo Daft Punk, "Random Access Memories," a week... -
What was the vulnerability that led to a $45 million ATM heist?
An international cybercrime operation responsible for a $45 million ATM heist carried out over a matter of hours is being called... -
Flaw in over-the-top messaging app allows users to bypass lock screen on Android devices
As many as 100 million Android users may be exposed to an application flaw that would allow someone to bypass their phones' lock...
