Description Preview
CVE-2020-17435 is an out-of-bounds read vulnerability (CWE-125) affecting Foxit Studio Photo version 3.6.6.922. The vulnerability exists in the CR2 file parser component where improper validation of user-supplied data can result in reading past the end of an allocated structure. When a user opens a specially crafted CR2 file or visits a malicious webpage containing such a file, an attacker can exploit this vulnerability to access sensitive information outside the intended boundary. This vulnerability could potentially be chained with other vulnerabilities to achieve arbitrary code execution in the context of the current process.
Overview
This vulnerability affects Foxit Studio Photo 3.6.6.922 and involves improper bounds checking when parsing Canon Raw 2 (CR2) image files. When processing maliciously crafted CR2 files, the application fails to properly validate buffer boundaries, leading to an out-of-bounds read condition. This allows attackers to access memory outside the intended buffer, potentially exposing sensitive information that could be used in further attacks. The vulnerability requires user interaction, as the victim must open a malicious CR2 file or visit a webpage containing such a file. The vulnerability was reported to the Zero Day Initiative as ZDI-CAN-11358 and later published as ZDI-20-1346.
Remediation
Users of Foxit Studio Photo should:
- Update to the latest version of Foxit Studio Photo as provided by Foxit Software
- Exercise caution when opening CR2 files from untrusted sources
- Avoid visiting untrusted websites that may attempt to exploit this vulnerability
- Consider using alternative photo editing software until the vulnerability is patched
- Monitor Foxit's security bulletins for updates regarding this vulnerability
- Implement standard security practices such as principle of least privilege when running the application
References
- Foxit Software Security Bulletins: https://www.foxitsoftware.com/support/security-bulletins.html
- Zero Day Initiative Advisory ZDI-20-1346: https://www.zerodayinitiative.com/advisories/ZDI-20-1346/
- Common Weakness Enumeration: CWE-125 (Out-of-bounds Read)
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
