Cisco Talos announced that they discovered two remote code execution vulnerabilities in Investintech’s cross-platform PDF tool. The flaw allows hackers to execute arbitrary code on the victim’s machine.
According to a blog post by Jon Munshaw, Piotr Bania of Cisco Talos discovered two remote code execution vulnerabilities in Investintech’s popular cross-platform PDF tool for Windows, Mac, and Linux. Able2Extract Professional allows users to convert and edit PDF files. PDF signing, redactions, and annotation are also some of Able2Extract’s features. Vulnerabilities in the software allow attackers to execute arbitrary code on the device.
Specially crafted JPEG and BMP files
With a specially crafted JPEG file that can cause out-of-bounds memory write, it is possible to exploit the memory corruption vulnerability to execute the code. There is also another vulnerability very similar to the first one. Instead of a JPEG file, a specially crafted BMP file can also trigger the vulnerability to execute arbitrary code.
CVSSv3 score for the vulnerabilities is 8.8. Investintech worked with Cisco Talos to solve the issues and updates were released. Affected customers using various operating systems can protect their system by downloading and installing the latest updates.