Beware: Foxit Reader bug allows hackers run malicious code via PDFs

Foxit Software has released security updates for its widely used Foxit reader to fix a high-severity remote code execution (RCE) vulnerability.


As a result of this security vulnerability, attackers can be capable of running malicious code on users’ Windows computers and potentially take control of the device.


Foxit claims to have over 650 million users in 200 countries, with over 100,000 customers actively using its app.


Multiple high-profile tech firms, including Google, Intel, NASDAQ, Chevron, British Airways, Dell, HP, Lenovo, and Asus, are among the company’s enterprise customers.


The high-severity flaw, dubbed CVE-2021-21822, stems from a Use After Free vulnerability discovered by Cisco Talos’ Aleksandar Nikolic in the V8 JavaScript engine, which is used by Foxit Reader to view dynamic forms and interactive document items.


If the Foxit Reader bug is successfully exploited, it may result in unexpected outcomes such as program crashes and data corruption, as well as the execution of arbitrary code on computers running the compromised software.


The way the Foxit Reader application and browser extensions handle certain annotation types is the source of this security vulnerability, which attackers can exploit to create malicious PDFs that allow them to run arbitrary code through precise memory control.


According to Nikolic, a specially crafted PDF document will cause previously free memory to be reused, resulting in arbitrary code execution.


If the browser plugin extension is enabled, the attacker then has to persuade the user (victim) to open a malicious file or website in order to exploit this vulnerability.


Latest in Cybersecurity: Moriya Windows rootkit exploited in wild for highly targeted attacks


The vulnerability was resolved with the release of Foxit Reader, which affected Foxit Reader bug in versions and earlier versions.


To avoid being targeted, users should download the most recent version of Foxit Reader and then click on “Check for Updates” in the app’s “Help” dialogue.


Also read: Dell BIOS vulnerability puts millions of Dell devices at risk


Several other security vulnerabilities that affected previous Foxit Reader versions have been patched with the release of Foxit Reader 10.1.4.


This involves denial of service, remote code execution, data leak, SQL injection, DLL hijacking, and other vulnerabilities that could affect users’ machines.


The Foxit Reader 10.1.4 update includes a number of security updates.


Issues to which the application can be exposed include:


  • Memory Corruption vulnerability and crash when exporting certain PDF files to other formats.
  • Denial of Service vulnerability and crash when handling certain XFA forms or link objects.
  • Denial of Service, Null Pointer Reference, Out-of-Bounds Read, Context Level Bypass, Type Confusion, or Buffer Overflow vulnerability and crash, which could be exploited by attackers to execute remote code.
  • Arbitrary File Deletion vulnerability due to improper access control.
  • DLL Hijacking vulnerability when it was launched, which could be exploited by attackers to execute remote code by placing a malicious DLL in the specified path directory.
  • Out-of-Bounds Write/Read Remote Code Execution or Information Disclosure vulnerability and crash when handling certain JavaScript or XFA forms.
  • Out-of-Bounds Write vulnerability when parsing certain PDF files that contain nonstandard /Size key value in the Trailer dictionary.
  • Out-of-Bounds, write vulnerability and crash when converting certain PDF files to Microsoft Office files.
  • Arbitrary File Write Remote Code Execution vulnerability when executing certain JavaScript.
  • SQL Injection Remote Code Execution vulnerability.
  • Uninitialized Variable Information Disclosure vulnerability and crash.
  • Out-of-Bounds Read or Heap-based Buffer Overflow vulnerability and crash, which could be exploited by attackers to execute remote code or disclose sensitive information


There was a bug in the Foxit Reader application that caused it to produce incorrect signature details for PDF files with invisible digital signatures.