This article is more than 1 year old
For Foxit's sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns
CISA points spotlight at PDF reader 'n' creator suite
Windows and Mac users running Foxit's popular PhantomPDF reader should update their installations to the latest version after the US CISA cybersecurity agency warned of a handful of high-severity product vulnerabilities.
In its latest regular threat report, CISA counted four CVSS v2 7.5-level vulns affecting PhantomPDF.
The software suite is widely used for manipulating PDFs, particularly by people who, for whatever reason, eschew Adobe's products and pricing model.
Foxit has published updates for its software in both Windows and Apple Mac formats. Those readers running versions prior to 10.1 for Windows and version 4.1 for Mac ought to download and install them from Foxit's website.
The four most recent vulns range from use-after-free snafus to out-of-bounds memory writes and read/write access violations.
Under CVSS v3, the vulns were scored as 9.8, a critical score, though it is important to note that CVSS scores are generally a guide to the worst-case-scenario impact of a vuln if it is misused.
The Register has asked Foxit for comment.
Use-after-free vulns are where an application re-reads memory that has been reallocated by the host system to something else; a suitably prepared malicious person can insert code into the right memory area which could, in theory, be read by the application and executed.
Last year Foxit suffered a data security problem that saw "third parties" gain access to its users' My Account area data. ®