Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Latest and Greatest is not Always Safest

Get this blog as an RSS Feed
Security Specialists in Secunia Research analyse numerous vulnerabilities on a daily basis. Additionally, we review software changes released as service packs, updates, or patches for many applications in order to identify and report any security-related issues.
11:58 CET on the 26th July 2011
Entry written by Dmitriy Pletnev.

Security Specialists in Secunia Research analyse numerous vulnerabilities on a daily basis. Additionally, we review software changes released as service packs, updates, or patches for many applications in order to identify and report any security-related issues.

This additional extended analysis effort provides an opportunity to reveal issues of interest undisclosed by the software's update notification method (e.g. changelogs or support page updates), which may have a security impact for the users, such as silent vulnerability fixes. In addition to uncovering silently patched vulnerabilities we at times come across instances when a vendor reintroduces previously fixed security issues.

In January 2010 a buffer overflow was reported in the handling of the "OpenFile" method in an ActiveX control bundled with Foxit Reader version 3.1.4.1125. However, the control was not marked "safe for scripting", which meant that it could not be remotely exploited via Internet Explorer without going against best security practises by allowing an unsafe control to run.

This particular issue was fixed in November 2010 with the release of Foxit Reader version 4.3.0.1110. At the same time the ActiveX control was marked "safe for scripting". It is unknown whether this was patched as a result of the public report or due to the vendor's Quality Assurance (QA) process.
 
In May 2011 Foxit Software released the next major version of their PDF reader (version 5.0.1.0523) and still provided the "safe for scripting" ActiveX control. Secunia Research scheduled this major version for extended analysis to identify any security-related changes. As a result, we discovered that the "OpenFile()" method in the FoxitReaderOCX ActiveX control was vulnerable to a heap-based buffer overflow, allowing execution of arbitrary code. After an in-depth review it was identified to be similar to the previously reported "OpenFile()" method buffer overflow in the old, not "safe for scripting" ActiveX control bundled with version 3.1.4.1125.

This started our vulnerability coordination process with Foxit Software and the vendor has now released an update to address the vulnerability.

Stay Secure,


Dmitriy Pletnev
Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Latest and Greatest is not Always Safest
 
User Message
Gustar_Terpstra RE: Latest and Greatest is not Always Safest
Member 5th Aug, 2012 14:32
Score: -1
Posts: 7
User Since: 5th Aug 2012
System Score: N/A
Location: NL
Last edited on 5th Aug, 2012 14:32
What is adviseable to use for the PSI-versions?

--
Gustar Terpstra
Was this reply relevant?
+0
-0
vincentpetit RE: Latest and Greatest is not Always Safest
Member 9th Oct, 2012 14:17
Score: 2
Posts: 1
User Since: 9th Oct 2012
System Score: N/A
Location: FR
Last edited on 9th Oct, 2012 14:17
Funny, so by silently implementing a patch unaware users are in fact tearing up old security wounds and consequently compromising their own security! Seems we need to be always on the alert on staying secure also by following the patch advices. I am happy about the fact we have always Secunia at hand for vendor independent intelligence on the matter. Stay alert while staying secure ( :

--
Everybody should promote the Secunia PSI in their own country in order to contribute to a safer internet and more awareness on combatting cyber-criminality. This is a post a wrote on Secunia's PSI in France: http://www.nettoyerpc.fr/internet-security/secunia...
Was this reply relevant?
+2
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability