Solutionary ID: SERT-VDN-1009
Risk Rating: Low
CVE ID: CVE-2011-3691
Product: Foxit Reader
Application Vendor: Foxit
Vendor URL: http://www.foxitsoftware.com
Date discovered: 6/09/2011
Discovered by: Jose Hernandez and the Solutionary Engineering Research Team (SERT)
Vendor notification date: 6/10/2011
Vendor response date: 6/10/2011
Vendor acknowledgment date: 6/20/2011
Public disclosure date: 7/21/2011
Type of vulnerability: Insecure Library Loading (DLL Hijacking)
Exploit Vectors: Local and Remote
Vulnerability Description: Foxit Reader is vulnerable to a Insecure Library Loading vulnerability. The libraries identified as being vulnerable are dwmapi.dll, dwrite.dll and msdrm.dll. The vulnerability lies in the way Microsoft Windows loads DLLs. If applications load a library from a specific path and call that path implicitly, Microsoft Windows searches several default paths to find and load the library. A malicious attacker can create a malicious DLL with the same name and place it in a directory where Microsoft Windows searches by default. The application will load the malicious DLL resulting in arbitrary code execution.
Tested on: Windows XP SP3 and Foxit Reader version 5.0.1.0523. Affected software versions: Foxit Reader version 5.0.1.0523 (previous versions may also be vulnerable)
Fixed in: Foxit Reader version 5.0.2.0718.
Remediation guidelines: The vendor has provided a patch to fix this issue. Please upgrade to Foxit Reader version 5.0.2.0718.