For Foxit's sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns

Windows and Mac users running Foxit's popular PhantomPDF reader should update their installations to the latest version after the US CISA cybersecurity agency warned of a handful of high-severity product vulnerabilities.

In its latest regular threat report, CISA counted four CVSS v2 7.5-level vulns affecting PhantomPDF.

The software suite is widely used for manipulating PDFs, particularly by people who, for whatever reason, eschew Adobe's products and pricing model.

Foxit has published updates for its software in both Windows and Apple Mac formats. Those readers running versions prior to 10.1 for Windows and version 4.1 for Mac ought to download and install them from Foxit's website.

The four most recent vulns range from use-after-free snafus to out-of-bounds memory writes and read/write access violations.

Foxit's patch notes stated, for one of the vulns: "Addressed a potential issue where the application could be exposed to Use-After-Free vulnerability and crash when executing JavaScript in certain AcroForm. This occurs due to the use of Opt object after it has been deleted by calling Field::ClearItems method while executing Field::DeleteOptions method."

Under CVSS v3, the vulns were scored as 9.8, a critical score, though it is important to note that CVSS scores are generally a guide to the worst-case-scenario impact of a vuln if it is misused.

The Register has asked Foxit for comment.

Use-after-free vulns are where an application re-reads memory that has been reallocated by the host system to something else; a suitably prepared malicious person can insert code into the right memory area which could, in theory, be read by the application and executed.

Last year Foxit suffered a data security problem that saw "third parties" gain access to its users' My Account area data. ®