Foxit Software, the US and China-based PDF software developer, has recently released security updates to fix a high severity Remote Code Execution (RCE) vulnerability affecting the PDF reader.
Foxit, who claims to have more than 560 million users located in more than 200 countries, announced that this security flaw could let threat actors execute malicious code on users’ Windows computers and potentially take control over them.
Cisco Talos researcher Aleksandar Nikolic has unearthed the flaw in the V8 JavaScript engine used by Foxit Reader to display dynamic forms and interactive document elements.
As reported by BleepingComputer, the vulnerability, dubbed CVE-2021-21822, originates from a Use After Free bug. Successful exploitation of such bugs can lead from program crashes and data corruption to the execution of arbitrary code on computers running the vulnerable software.
How the Foxit Reader app and browser extensions handle certain annotation types determines the flaw, allowing attackers to abuse to craft malicious PDFs. This will permit them to execute arbitrary code via precise memory control.
(Except for the headline, this story has not been edited by TTE staff and is published from a syndicated feed.)