Cybersecurity specialists report the finding of at least 14 security vulnerabilities in Foxit Reader and Phantom Reader, two popular tools for viewing PDF documents. Exploiting these flaws could cause all kinds of malicious scenarios.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys according to the Common Vulnerability Scoring System (CVSS). It should be noted that some of the flaws do not have a CVSS code assigned.

  • CVE-2020-17413: A boundary error within the handling of U3D objects embedded in PDF files allow remote hackers to create a specially crafted PDF file able to execute arbitrary code. The flaw received a 7.7/10 score
  • CVE-2020-17417: A use-after-free error within the handling of the Annotation objects while processing AcroForm allows remote threat actors to create specially crafted PDF files to execute arbitrary code on the target system. The flaw got a 7.7/10 score
  • CVE-2020-17416: A boundary error when processing JPEG2000 images within PDF files allows remote attackers to trigger out-of-bounds writing conditions using a specially crafted PDF file. The vulnerability received a 7.7/10 score
  • CVE-2020-17415: Some inadequate default permissions for the configuration files used by the Foxit PhantomPDF Update Service could allow a local user to access or even modify files and directories. The vulnerability got a 7.7/1 score
  • CVE-2020-17414: Some incorrect default permissions for the configuration files used by the Foxit Reader Update Service. A local user with access to the system can view contents of files and directories or modify them
  • CVE-2020-17412: A boundary error within the handling of U3D objects embedded in PDF files within U3DBrowser would allow malicious hackers to trigger an out-of-bounds writing condition on the target system. The flaw received a 7.7/10 score
  • CVE-2020-17411: A boundary condition within the handling of U3D objects embedded in PDF files in U3DBrowser allows hackers to trigger an out-of-bounds read error on the affected system. This vulnerability received a 5.7/10 score
  • CVE-2020-17410: A use-after-free error within the parsing of GIF files would allow malicious hackers to run arbitrary code on the affected system. The flaw received a 7.7/10 score
  • A use-after-free error while using the /V item could allow a remote hacker to create a specially crafted PDF file to run arbitrary code on the affected system. The vulnerability received a 7.7/10 score
  • A use-after-free condition when using the Opt object after it has been removed allows threat actors to create a specially crafted PDF file to run arbitrary code on the target system. The flaw received a score of 7.7/10
  • A boundary error when processing untrusted input within the V8 JavaScript engine allows remote attackers too create a specially crafted PDF file aiming to trigger out-of-bounds write and execute arbitrary code on the target system. This vulnerability received a 7.7/10 score
  • A NULL pointer dereference flaw when processing PDF files allows remote attackers to create a specially crafted PDF file capable of execute arbitrary code on the target system. The vulnerability got a 7.7/10 CVSS score
  • A boundary error within the handling of Shading could allow a malicious remote hacker to create a specially crafted PDF file able to trigger an out-of-bounds reading condition. The flaw was tracked with a 7.7/10 CVSS score
  • During the application installation, as the installer file searches for taskkill.exe in the current working directory a remote attacker can trick the victim to launch the installer file from a remote SMB share, generating an arbitrary code execution condition. The flaw received a 6.5/10 score

The patches are now ready to be installed, so users of affected deployments are encouraged to update as soon as possible.