how critical is the security update for Foxit reader, pls?

Hi all

I'm well aware that Adobe's PDF reader is currently seriously in need of patching; but what's the current situation regarding the Foxit reader, pls?

Is this a critical issue, or just something to do with iPhones? The Foxit page mentions "can be exploited to inject arbitrary code into a system and execute it there ", which doesn't sound too good...

I've updated my Foxit just to be on the safe side! - just puzzled as to why Secunia rate the Adobe issue as highly important, but don't seem to be mentioning Foxit - even when looking up Foxit by product...

**edit: perhaps because Foxit already have a patch out, whereas Adobe's is still in the pipeline?

TIA, and best wishes, HJ.

 

digging deeper at Secunia...

...makes it look like yes, it was a critical vulnerability in Foxit reader 4; but Foxit reader 3 seems not to be affected? I hope I've got that right...

Is there any advantage/disadvantage to running Foxit3?

Normally I'd try to run the latest and greatest version; but with some things, less functionality is actually better it seems, nowadays

...must remember to check the Javascript's still disabled after the upgrade!

best wishes, HJ.

 

No idea.

Very true at least from the security point of view but the problem is as the world advances, the software vendors stops supporting older versions & even if there is some problem in that version one does not even hear about it let alone get a patch. [Think MS - Windows XP SP2].

 

Hi rsinfo cheers for the reply...

after a bit of trawling around I found:

Version 4 provides new features:

* reviewing and commenting tools like highlighting, underlining, striking out, search and replace, magnifying glass and inserting notes,
* editing tools like textbox, adding comments, measuring bar and form filling,
* spell checker for comments,
* undo and redo for comments,
* adding multimedia like images, movies, file attachments and links to a PDF document,
* conversion of PDF to text format,
* modifying bookmarks,
* safe mode for secure reading.

...now, I'm not going to want to use any of the commenting or modification features! But "safe mode for secure reading" sounds a good idea, of course. As for "conversion of PDF to text format ", well, that might perhaps be useful one day maybe - but as long as I can select text, a bit of Copy/Paste will most likely suffice for my meagre needs.

then, I discovered that v3.3 also allows "safe mode" (allows prevention of executable content)

so I'm going to try reverting to v3.3 for a while and see how it goes; Secunia don't seem to have anything "nasty" flagged for that version

best wishes, HJ.

 

I ended up going back to v4 to err on the safe side

Hi again

although Secunia still don't seem to have anything bad flagged against Foxit v3 (with all patches installed), I'm not so sure now - mainly because Foxit 4.1.1 appears to be the first Foxit v4, and SANS (among others) suggested that upgrading to v4.1.1 is necessary to avoid the Jailbreak issue. Putting the two concepts together, it seems to imply that v3 must be vulnerable.

of course, if Secunia classes upgrading v3 to v4 as "patching" v3, then it all makes sense; but that would be contrary to the way that Secunia report e.g. problems with Java's various versions

in any case, Foxit v3.3.1 installed size turned out to be massively bigger than v3.2.x (and also, curiously, marginally larger than v4.1.1)

(not that I'm short of space! - simply using installed size as a measure of bloat; I thought I could maybe miss out on the spellchecker for comments and other features which I'm never going to use. Don't install a feature = don't have to worry if the feature has problems)

What Foxit describe as "the crash issue caused by the new iPhone/iPad jailbreak program" is a bit open to debate, as the Jailbreak thing seems to be a many-headed hydra. "The payload on jailbreakme-dot-com includes 20 PDF files tuned for various combinations of hardware and software" el Reg / F-Secure

the only other snippet which I picked up on my travels was whatever the "Jailbreak" exploit is which affects the Foxit reader, it doesn't affect the Adobe reader. Adobe's reader's current unpatched vulnerability is something different altogether, or so it seems

wry smile time: reading up to try to unravel all this required looking at several, yup, you guessed it, PDF documents

best wishes, HJ.

**edit/afterthought: broke the URL to make curious folks have to try a bit harder, as something at that site was described by F-secure as a "drive-by" (probably means for iOS)

 

Foxit Reader 4.1.1.0805 upgrade fixes the crash issue caused by the new iPhone/iPad jailbreak program and prevents the malicious attacks to your computer. That is what it says about the update when using the update button in Foxit Reader.

 

Hi Russ

crash issue is one thing; execute code is something rather different!

...from the Foxit advisory note

which still doesn't (by itself) really make it clear what kind of system the injected code is going to execute on, does it? - and of course, they've just been talking about the Jailbreak thing which is primarily aimed at executing a certain type of code on Apple iPhones

but Apple iPhones won't be running the Foxit reader, because iPhones have their own PDF reader which is built into Apple iOS (and opens PDFs attached to emails automatically without asking for user confirmation first, as I understand). Hmmm, yummy...

so, Foxit talk about possibility of executing injected code; but the Foxit reader doesn't run on iPhones: which begs the question, "What is the Foxit going to be running on, then?" - I think the answer has to be Windows boxes. Thinking about it, would the issue have merited a SANS diary entry if it were merely a crashing problem with the Foxit reader? I suspect not.

...problem is, the wording which I quoted from the Foxit page can be interpreted more than one way. Which is really why I started this thread, to see if some kind knowledgable person could clarify things a bit.

It's no big deal of course, as long as upgrading to v4.1.1 resolves the issue (whatever the issue is!). At least Foxit users can update to a fixed version Adobe users are still waiting (OK, different vulnerability), patch coming out during the week of August 16, 2010.

best wishes, HJ