Network News

X My Profile
View More Activity

Security Fixes in Foxit Update

People who use the free Foxit Reader software as an alternative to Adobe for viewing portable document format (PDF) files should take note: Foxit has shipped a new version that plugs a serious security hole in the program.

The newest version, available here, brings Foxit to v. 2.3, Build 2923. Not sure which version you're running? Click "Help," and "About Foxit."

Researchers at security firm Secunia labeled the vulnerability as "highly critical." The flaw stems from a problem with the way Foxit handles Javascript.

I prefer Foxit over Adobe, and here's one good example why: The lack of program bloat. Turns out, most Foxit reader users don't have to worry about this flaw to begin with, because the free Foxit Reader ships without Javascript support by default. Rather, it is available as an add-on that you must manually download and install after installing the base program.

By comparison, have a look at the number of Adobe Reader vulnerabilities that involve Javascript, which ships with the free Adobe program.

I also like the fact that Foxit is far nimbler in fixing security vulnerabilities. Adobe has been known to take months to plug security holes. Foxit managed to ship a fix for this vulnerability in fewer than five days. Last month, it corrected a similarly severe vulnerability within about 24 hours from the time researchers released details about the bug.

Update, May 28, 10:18 a.m. ET: Thomas Kristensen, chief technology officer at Secunia, which is credited with discovering this flaw, asked that I add the following clarification to this post: "We would like to clarify that the vulnerability is in the core Foxit Reader code, not in the Javascript plugin. This means that users who have just the default installation are still vulnerable, so we recommend that all users, regardless of whether they installed the Javascript plugin or not, update their Foxit Reader."

By Brian Krebs  |  May 27, 2008; 10:00 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: ING Introduces Tool for Safe E-Banking on Infected PCs
Next: Exploit In-the-Wild: Patch Your Flash Player Now

No comments have been posted to this entry.

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company