-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2798
       Multiple vulnerabilities have been identified in Foxit Reader
                             23 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Foxit Reader
Publisher:         Zero Day Initiative
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-16-610/
   http://www.zerodayinitiative.com/advisories/ZDI-16-611/
   http://www.zerodayinitiative.com/advisories/ZDI-16-612/
   http://www.zerodayinitiative.com/advisories/ZDI-16-613/
   http://www.zerodayinitiative.com/advisories/ZDI-16-614/

Comment: This bulletin contains five (5) Zero Day Initiative security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Foxit Reader JPEG2000 Parsing Heap-Based Buffer Overflow Remote Code Execution 
Vulnerability

ZDI-16-610: November 22nd, 2016

CVSS Score

    6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P) 

Affected Vendors

    Foxit

Affected Products

    Reader

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of Foxit Reader. User interaction is required to 
exploit this vulnerability in that the target must visit a malicious page or 
open a malicious file.

The specific flaw exists within JPEG2000 parsing. The issue results from the 
lack of proper validation of the length of user-supplied data prior to copying
it to a heap-based buffer. An attacker can leverage this vulnerability to 
execute code under the context of the current process.

Vendor Response
Foxit has issued an update to correct this vulnerability. More details can be 
found at:

    https://www.foxitsoftware.com/support/security-bulletins.php

Disclosure Timeline

    2016-10-17 - Vulnerability reported to vendor
    2016-11-22 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Gogil of STEALIEN

- ---
Foxit Reader JPEG2000 Parsing Out-Of-Bounds Read Information Disclosure 
Vulnerability

ZDI-16-611: November 22nd, 2016

CVSS Score

    4.3, (AV:N/AC:M/Au:N/C:P/I:N/A:N) 

Affected Vendors

    Foxit

Affected Products

    Reader

Vulnerability Details


This vulnerability allows remote attackers to disclose sensitive information on
vulnerable installations of Foxit Reader. User interaction is required to 
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.

The specific flaw exists within the handling of JPEG2000 images. The process 
does not properly validate user-supplied data which can result in a read past
the end of an allocated object. An attacker can leverage this in conjunction
with other vulnerabilities to execute code in the context of the current
process.

Vendor Response
Foxit has issued an update to correct this vulnerability. More details can be
found at:

    https://www.foxitsoftware.com/support/security-bulletins.php

Disclosure Timeline

    2016-10-17 - Vulnerability reported to vendor
    2016-11-22 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Gogil of STEALIEN

- ---

Foxit Reader JPEG2000 Parsing Out-Of-Bounds Read Information Disclosure
Vulnerability

ZDI-16-612: November 22nd, 2016

CVSS Score

    4.3, (AV:N/AC:M/Au:N/C:P/I:N/A:N) 

Affected Vendors

    Foxit

Affected Products

    Reader

Vulnerability Details

This vulnerability allows remote attackers to disclose sensitive information
on vulnerable installations of Foxit Reader. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.

The specific flaw exists within the handling of JPEG2000 images. The process
does not properly validate user-supplied data which can result in a read past
the end of an allocated object. An attacker can leverage this in conjunction
with other vulnerabilities to execute code in the context of the current
process.

Vendor Response
Foxit has issued an update to correct this vulnerability. More details can be
found at:

    https://www.foxitsoftware.com/support/security-bulletins.php

Disclosure Timeline

    2016-10-17 - Vulnerability reported to vendor
    2016-11-22 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Gogil of STEALIEN

- ---

Foxit Reader JPEG2000 Parsing Use-After-Free Remote Code Execution
Vulnerability

ZDI-16-613: November 22nd, 2016

CVSS Score

    6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P) 

Affected Vendors

    Foxit

Affected Products

    Reader

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Foxit Reader. User interaction is required to 
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.

The specific flaw exists within JPEG2000 parsing. The process does not
properly validate the existence of an object prior to performing operations on
the object. An attacker can leverage this vulnerability to execute code under
the context of the current process.

Vendor Response
Foxit has issued an update to correct this vulnerability. More details can be
found at:

    https://www.foxitsoftware.com/support/security-bulletins.php

Disclosure Timeline

    2016-10-17 - Vulnerability reported to vendor
    2016-11-22 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Gogil of STEALIEN

- ---
Foxit Reader JPEG2000 Parsing Out-Of-Bounds Read Information Disclosure
Vulnerability

ZDI-16-614: November 22nd, 2016

CVSS Score

    4.3, (AV:N/AC:M/Au:N/C:P/I:N/A:N) 

Affected Vendors

    Foxit

Affected Products

    Reader

Vulnerability Details

This vulnerability allows remote attackers to disclose sensitive information
on vulnerable installations of Foxit Reader. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.

The specific flaw exists within the handling of JPEG2000 images. The process
does not properly validate user-supplied data which can result in a read past
the end of an allocated object. An attacker can leverage this in conjunction
with other vulnerabilities to execute code in the context of the current
process.

Vendor Response
Foxit has issued an update to correct this vulnerability. More details can be
found at:

    https://www.foxitsoftware.com/support/security-bulletins.php

Disclosure Timeline

    2016-10-17 - Vulnerability reported to vendor
    2016-11-22 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Gogil of STEALIEN

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWDUKIYx+lLeg9Ub1AQhS8hAAm2CcIsqnh3DecyT4Vc/4HKOmsJcwlP6D
n6bW2bc5t/O4iJGBRttuIeA86WXEPM/puecGtOfhXYLXlfzToLVjBlzHX1xfAhE6
MAnzltreBxmc3/4wy33GrZ7YZ6LRGjn31RohlkoHasLgAdrVPLGZAu7bi0tfRzKb
9TjuOXNUJS8gT1MwfTXc+ZwZqmjfJVwmHPgN62N3A8ag1eyfkJr8zsbuyVIjA3tX
GRIAVXSnJp/TSQUHrUhJp7hkXP7OIKA6gDLukqGGg3TU3jjzwjk+bgLwptsiBscg
LVgAODfzMwDTGpTAlSw2wdGrcUayPvQvLITmHtl/ss4yolCUIRnfSZzC3U7oaCkV
Q2WcIYnaK9DBsj+q2gxxUOIHgbwErxX1Kb6ej2fOwOvr3yhmfpPVL5AF99NykZ4d
ahH+MG93UrKXuB//9E5HY7O+krtYXyZq07oZsC04RUljqTw9zx8+dSQDCec2iJs9
1kp1v1JqVGRnFNG59hOsSV1y32lM2IPWFDuq+8x/RtI/spMnX+lZ7A+TvXVnlQwG
O+o7SFECIlyHoQhQoFzGk0LPt1E9b98+iMYcDC7v/mg/Gii7zWkE7OYYGOv61V5e
oKbQfPAVWUViSWPGcgMTVMyzJtqDjcdwURopFQT7bMJh4khDrVy8AnMeSl82CC86
O2CH58XTfoo=
=RUgl
-----END PGP SIGNATURE-----