Foxit Reader Insecure Library Loading

Solutionary ID: SERT-VDN-1009

Risk Rating: Low

CVE ID: CVE-2011-3691

Product: Foxit Reader

Application Vendor: Foxit

Vendor URL: http://www.foxitsoftware.com

Date discovered: 6/09/2011

Discovered by: Jose Hernandez and the Solutionary Engineering Research Team (SERT)

Vendor notification date: 6/10/2011

Vendor response date: 6/10/2011

Vendor acknowledgment date: 6/20/2011

Public disclosure date: 7/21/2011

Type of vulnerability: Insecure Library Loading (DLL Hijacking)

Exploit Vectors: Local and Remote

Vulnerability Description: Foxit Reader is vulnerable to a Insecure Library Loading vulnerability. The libraries identified as being vulnerable are dwmapi.dll, dwrite.dll and msdrm.dll. The vulnerability lies in the way Microsoft Windows loads DLLs. If applications load a library from a specific path and call that path implicitly, Microsoft Windows searches several default paths to find and load the library. A malicious attacker can create a malicious DLL with the same name and place it in a directory where Microsoft Windows searches by default. The application will load the malicious DLL resulting in arbitrary code execution.

Tested on: Windows XP SP3 and Foxit Reader version 5.0.1.0523. Affected software versions: Foxit Reader version 5.0.1.0523 (previous versions may also be vulnerable)

Fixed in: Foxit Reader version 5.0.2.0718.

Remediation guidelines: The vendor has provided a patch to fix this issue. Please upgrade to Foxit Reader version 5.0.2.0718.