By Dmitriy Pletnev
Security Specialists in Secunia Research analyse numerous vulnerabilities on a daily basis. Additionally, we review software changes released as service packs, updates, or patches for many applications in order to identify and report any security-related issues.
This additional extended analysis effort provides an opportunity to reveal issues of interest undisclosed by the software's update notification method (e.g. changelogs or support page updates), which may have a security impact for the users, such as silent vulnerability fixes. In addition to uncovering silently patched vulnerabilities we at times come across instances when a vendor reintroduces previously fixed security issues.
In January 2010 a buffer overflow was reported in the handling of the "OpenFile" method in an ActiveX control bundled with Foxit Reader version 22.214.171.1245. However, the control was not marked "safe for scripting", which meant that it could not be remotely exploited via Internet Explorer without going against best security practises by allowing an unsafe control to run.
This particular issue was fixed in November 2010 with the release of Foxit Reader version 126.96.36.1990. At the same time the ActiveX control was marked "safe for scripting". It is unknown whether this was patched as a result of the public report or due to the vendor's Quality Assurance (QA) process.
In May 2011 Foxit Software released the next major version of their PDF reader (version 5.0.1.0523) and still provided the "safe for scripting" ActiveX control. Secunia Research scheduled this major version for extended analysis to identify any security-related changes. As a result, we discovered that the "OpenFile()" method in the FoxitReaderOCX ActiveX control was vulnerable to a heap-based buffer overflow, allowing execution of arbitrary code. After an in-depth review it was identified to be similar to the previously reported "OpenFile()" method buffer overflow in the old, not "safe for scripting" ActiveX control bundled with version 188.8.131.525.
This started our vulnerability coordination process with Foxit Software and the vendor has now released an update to address the vulnerability.