PDF patch time: fixes land for over 100 flaws in Adobe's and Foxit's PDF software

Admins should get started patching Adobe Acrobat and Reader as well as Foxit PDF software with the latest updates from both software houses. 

Adobe on Monday released updates for its Acrobat and Reader PDF software to address 85 vulnerabilities affecting its software on Windows and macOS, many of which are critical and could be used by an attacker for remote code execution attacks. 

Popular PDF software maker Foxit also announced Foxit Reader 9.3 and Foxit PhantomPDF 9.3, which address critical flaws affecting prior versions of its PDF reading and creation products for Windows. 

Aleksandar Nikolic of Cisco Talos found critical flaws affecting both Adobe’s and Foxit’s software that have been fixed in the latest releases from both firms. 

He is credited with finding one of the nearly 50 critical flaws among the 85 that Adobe fixed in its October PDF app software update, and found a further 18 bugs in Foxit’s PDF apps, which are commonly used alternatives to Adobe’s PDF products. 

The Acrobat and Reader bug he found, which is tagged as CVE-2018-12852, is a use after free flaw that could lead to arbitrary code execution in Adobe’s software. The impact should be limited assuming the attack does not break the sandbox Adobe’s PDF software work within.

A dozen of the 18 flaws he found in Foxit’s software could be exploited by fooling a user into opening a rigged PDF document or viewing a malicious PDF in a web browser. If the plugin is enabled, the flaw could be exploited when a user visits a malicious website. 

“There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser,” the researcher noted. 

Foxit Reader for Windows versions 9.2.0.9297 and earlier are affected, as are Foxit PhantomPDF versions 9.2.0.9297 and earlier.

Several of the flaws affecting Adobe and Foxit PDF software were reported through Trend Micro’s Zero Day Initiative ZDI program. PDF software makes for a nice target because of the abundance of features they have, among them image and document parsing capabilities that can be exploited. 

Hackers are also looking for creative ways to break the PDF reader sandbox protections. Adobe warned in May that attackers had exploited a critical zero-day flaw affecting Acrobat that was combined with a Windows 7 flaw designed to break the sandbox Acrobat operated in.