Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                          ESB-2009.0596 -- [Win]
                   Foxit Reader: Execute Arbitrary Code
                               23 June 2009


        AusCERT Security Bulletin Summary

Product:              Foxit Reader prior to 3.0 Build 1817
Publisher:            US-CERT
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-0691 CVE-2009-0690

Original Bulletin:    http://www.kb.cert.org/vuls/id/251793

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#251793

Foxit Reader contains multiple vulnerabilities in the processing of JPX data


   Foxit Reader contains multiple vulnerabilities that may allow an
   attacker to execute arbitrary code.

I. Description

   Foxit Reader is software designed to view Portable Document Format
   (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow
   users to view PDF files inside of a web browser. Foxit Reader contains
   multiple vulnerabilities in the handling of JPX (JPEG2000) streams.
   These vulnerabilities may result in memory corruption.

   Note: Foxit Reader does not contain the ability to decode JPEG2000
   data by default. The JPEG2000 / JBIG Decoder add-on must be
   installed for Foxit Reader to be vulnerable. When Foxit Reader
   encounters a PDF document that has JPEG2000 or JBIG data, the user
   will automatically be prompted to install the add-on, however.

II. Impact

   By convincing a user to open a malicious PDF file, an attacker may be
   able to execute code or cause a vulnerable PDF viewer to crash. The
   PDF could be emailed as an attachment or hosted on a website.

III. Solution

   Apply an update

   This issue is addressed in Foxit Reader 3.0 Build 1817. Updating
   to this version should trigger the process to upgrade the JPEG2000 /
   JBIG Decoder component to be updated to version 2.0.2009.616 if a
   vulnerable version is already installed. Additional details are
   available in the Foxit Reader security advisory.
   Disable JavaScript in Foxit Reader
   Disabling JavaScript may help prevent this and other vulnerabilities
   from being exploited. Foxit Reader JavaScript can be disabled in the
   preferences dialog (Edit -> Preferences -> JavaScript and uncheck
   Enable JavaScript Actions). Note that this will not block the
   vulnerability. Foxit Reader still may crash when parsing specially
   crafted PDF documents.
   Prevent Internet Explorer from automatically opening PDF documents
   The installer for Foxit Reader configures Internet Explorer to
   automatically open PDF files without any user interaction. This
   behavior can be reverted to the safer option of prompting the user by
   importing the following as a .REG file:
   Windows Registry Editor Version 5.00

   Disable the displaying of PDF documents in the web browser
   Preventing PDF documents from opening inside a web browser may help
   mitigate this vulnerability. If this workaround is applied to updated
   versions of the Foxit reader, it may help mitigate future
   To prevent PDF documents from automatically being opened in a web
    1. Open Foxit Reader.
    2. Open the Edit menu.
    3. Choose the Preferences option.
    4. Choose the Internet section.
    5. Uncheck the "Display PDF in browser" check box.

   Do not access PDF documents from untrusted sources
   Do not open unfamiliar or unexpected PDF documents, particularly those
   hosted on web sites or delivered as email attachments. Please see
   Cyber Security Tip ST04-010.

Systems Affected

   Vendor                     Status     Date Notified Date Updated
   Foxit Software Company     Vulnerable 2009-06-02    2009-06-19




   This vulnerability was reported by Will Dormann of the CERT/CC.

   This document was written by Will Dormann.

Other Information

   Date Public:              2009-06-19
   Date First Published:     2009-06-19
   Date Last Updated:        2009-06-19
   CERT Advisory:           
   CVE-ID(s):                CVE-2009-0690; CVE-2009-0691
   NVD-ID(s):                CVE-2009-0690 CVE-2009-0691
   US-CERT Technical Alerts:
   Metric:                   1.02
   Document Revision:        10

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967