Cisco Talos researchers discovered multiple vulnerabilities in Atlantis Word Processor and Foxit PDF reader.
Researchers disclosed eighteen vulnerabilities in Foxit PDF reader, many of which could result in an attacker carrying out arbitrary code execution, and eight vulnerabilities in Atlantis Word Processor, many of which could result in buffer overflow attacks.
An exploitable out-of-bounds write vulnerability exists in the word document parser of Atlantis Word Processor that could allow a malicious document to write a value outside the bounds of a heap allocation, resulting in a buffer overflow. This attack would require the attacker to convince the target to open the malicious document.
Untangle Chief Technology Officer Timur Kovalev told SCMedia, users could unknowingly activate some of these vulnerabilities by viewing the document in a web browser since Foxit PDF also offers a browser plugin.
“It is critical for any person or business using the Foxit products to immediately upgrade to the newest version to ensure the vulnerabilities are patched,” Kovalev said. “Browser plugins have led to hackers exploiting weaknesses in the past, so it is important users understand the risk of enabling plugins.”
He went on to note that FoxitPDF reader is one of the most popular free tools for viewing, commenting, or editing PDF documents and that users gravitate towards free readers and editors as alternatives to paid products like Adobe Acrobat.
Chris Morales, head of security analytics at Vectra, said disclosures like this raise questions concerning the number of vulnerabilities found in the app.
“Software is complex and these types of vulnerabilities are common, but what stands out here to me is the quantity of vulnerabilities,” Morales said. “Eighteen is an abnormally large finding in a single app.”
Morales continued, either no one has been properly examining the Foxit PDF software to identify problems in the code or finding vulnerabilities has become extremely easy by applying machine learning and automation techniques to analyze software code.
“The truth usually lies somewhere in the middle of these two observations,” Morales said. “The outcome is that we are going to see more of these large treasure troves of attack vectors used to exploit software users, which strengthens the argument that we must assume vulnerabilities exist and will be exploited.”As a result, he recommended organizations focus more on detecting threats in real time and responding rapidly to attacks to reduce the impact of vulnerabilities like this.