Foxit Reader JPEG2000 / JBIG Decoder Add-On < 2.0.2009.616 Multiple Vulnerabilities

high Nessus Plugin ID 39481

Synopsis

A PDF viewer installed on the remote host is affected by multiple vulnerabilities.

Description

The Foxit Reader application installed on the remote Windows host includes an optional JPEG2000 / JBIG Decoder add-on that is prior to version 2.0.2009.616. It is, therefore affected by multiple vulnerabilities :

- A out-of-bounds read error exists in the add-on due to improper handling of a negative value for the stream offset in a JPEG2000 (JPX) stream. An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to cause a denial of service or to execute arbitrary code. (CVE-2009-0690)

- A flaw exists in the add-on due to improper handling of an unspecified fatal error during the decoding of a JPEG2000 (JPX) header. An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to cause a denial of service or to execute arbitrary code.
(CVE-2009-0691)

Solution

Upgrade to Foxit Reader version 3.0 Build 1817 or later.

See Also

https://www.foxitsoftware.com/support/security-bulletins.php

https://www.foxitsoftware.com/company/press.php?id=124

Plugin Details

Severity: High

ID: 39481

File Name: foxit_reader_jbig_2_0_2009_616.nasl

Version: 1.15

Type: local

Agent: windows

Family: Windows

Published: 6/22/2009

Updated: 7/11/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:foxitsoftware:foxit_reader

Required KB Items: installed_sw/Foxit Reader

Exploit Ease: No known exploits are available

Patch Publication Date: 6/19/2009

Vulnerability Publication Date: 6/19/2009

Reference Information

CVE: CVE-2009-0690, CVE-2009-0691

BID: 35442, 35443

CWE: 189, 399

CERT: 251793