Vulnerabilities in several PDF applications

[pete319]

I thought this may be of interest, See link below
http://www.h-online.com/security/news/item/Vulnerabilities-in-several-PDF-applications-833449.html

[Omid Farhang]

Thanks for showing Foxit fans they are not secure too!! 

[YoKenny]

Thanks for showing Foxit fans they are not secure too!! 

IE8 not vulnerable?

The flaw was discovered in version 3.1.1.0928 and has also been confirmed to exist in the current version 3.1.2.1013 of Foxit Reader (with Firefox 3.5.3 ).

[Sesame]

Thanks for showing Foxit fans they are not secure too!!  

So, does it please you if someon posts possible exploits of PDF Xchange viewer portable version?  Jokes aside, at times, portable version of software saves the day since it is not tied to the system and other programs.  In fact, I didn't find any .NET Framework Assistant plugin on portable Firefoxes on our systems.

According to Logos' relatively recent post, unpatched vulnerabilities of applications such as Adobe Reader and, of course, Adobe Flash (also, Foxit Reader according to the article introduced in the original post) are dangerous when combined with web browsers.

People who are unfortunate enough to visit the sites won't see anything unusual. But behind the scenes, a PHP script checks their version of Adobe Reader and Adobe Flash, and if either is out of date, hijacks their PCs using known vulnerabilities. If both of those programs are up to date, the script tests to see if the system is vulnerable to several bugs Microsoft has patched in the last few months.

Even my portable version of Firefox is not immune to Adobe Flash exploit, which is why I have to check for the latest update of it even though NoScript can reduce the chance of successful exploitation.  Seriously, these kind of information shouldn't be needed for application fanboysm/fangalism but to secure our systems.

[Edited to avoid further confusions]

[YoKenny]

Thanks for showing Foxit fans they are not secure too!! 

So, does it please you if someon posts possible exploits of PDF Xchange viewer portable version?  Jokes aside, at times, portable version of software saves the day since it is not tied to the system and other programs.  In fact, I didn't find any .NET Framework Assistant plugin on portable Firefoxes on our systems.

According to Logos' relatively recent post, unpatched vulnerbilities of applications such as Foxit Reader, Adobe Reader and, of course, Adobe Flash are dangerous when combined with web browsers.

It mentions Adobe Reader and Adobe Flash but not Foxit Reader.

Don't read any PDF file that is not from a trusted source.

[Sesame]

It mentions Adobe Reader and Adobe Flash but not Foxit Reader.

No, it doesn't mention Foxit Reader but I added it in reference to the OP.  A common point of the articles is that these applications may become targets through plug-ins installed on web browsers.

[Alan Baxter]

Thank you for the heads-up, Pete.  I've subsequently posted a warning about this Security Vulnerability in Foxit Reader 3.1.2.1013 to the Foxit Reader and Mozillazine Tech forums.
http://forums.foxitsoftware.com/showthread.php?t=15553
http://forums.mozillazine.org/viewtopic.php?f=37&t=1546015

BTW, I assume that all these Internet apps have unreported vulnerabilities too.  I like YoKenny's advice:

Don't read any PDF file that is not from a trusted source.

If I recall correctly, YoKenny also keeps himself safe by keeping IE8 in Vista fully patched.  I do the same in Firefox and also use the NoScript extension to block all pdf files.  Until Foxit fixes it, I've disabled the Foxit Reader plugin for Firefox.

[Sesame]

BTW, I assume that all these Internet apps have unreported vulnerabilities too.  I like YoKenny's advice:

Indeed, the article says "numerous PDF applications," whether through plug-ins or not.

[Alan Baxter]

BTW, I assume that all these Internet apps have unreported vulnerabilities too.  I like YoKenny's advice:

Indeed, the article says "numerous PDF applications," whether through plug-ins or not.

I see now I wasn't clear.  I'm talking about unreported vulnerabilities in all Internet apps, not just pdf readers or the ones the article itemizes.

Edit: spelling

[Sesame]

I see know I wasn't clear.  I'm talking about unreported vulnerabilities in all Internet apps, not just pdf readers or the ones the article itemizes.

  In that case, I'm confused.  Any app may have unreported vulnerabilities but its too much generalization for this specific issue in this topic, I guess.

[Alan Baxter]

I was indeed posting what I do to protect myself from all vulnerabilities, including the ones referenced in the article.  I think briefly mentioning techniques for reducing exposure to vulnerabilities in general is on-topic here, especially if they also cover the ones itemized in the article. But I can see how that may have confused you.

[Sesame]

I was indeed posting what I do to protect myself from all vulnerabilities, including the ones referenced in the article.  I think briefly mentioning techniques for reducing exposure to vulnerabilities in general is on-topic here, especially if they also cover the ones itemized in the article. But I can see how that may have confused you.

I see, thanks for the clarification.

[Omid Farhang]

no, it never please me when I hear there are a new flaw and threat, virus, malware etc.
I wish there was none of them and everyone was secure, and not working on their protection and only using and enjoying their web surf and computer usage.

just I liked that link because it said same what I say, I was saying alternatives look like secure because they are no popular as origin programs so they are not under radars of hackers and people talk about them less than origin, that's all, I don't want to talk about them again because I've said these many times.

[YoKenny]

If I recall correctly, YoKenny also keeps himself safe by keeping IE8 in Vista fully patched.  I do the same in Firefox and also use the NoScript extension to block all pdf files.  Until Foxit fixes it, I've disabled the Foxit Reader plugin for Firefox.

I don't use Firefox nor Vista and use Windows 7 as I like its additional features.

Protected Mode in IE7/IE8 requires UAC be fully enabled in addition to the setting in Internet Explorer being enabled.
Since UAC is typically disabled by Windows Vista/Windows 7 users, that's an important point to consider.

Switch UAC to the quiet mode
http://www.tweak-uac.com/what-is-tweak-uac

[polonus]

Hi Omid Farhang,

Thanks for showing Foxit fans they are not secure too!!

How many vulnerabilities the Firefox Plug-in Foxit Reader has in common with Adobe's reader?
So Foxit ReaderFirefox  plug-in is also vulnerable, and no patch in sight yet....
http://seclists.org/fulldisclosure/2009/Oct/198
So download first than read.....but what about new (malicious) PDF-files.
Why did not Firefox put the plug-in on the block list?

polonus

P.S. I have scanned with Secunia PSI and a clean list....