A new security bug in the popular Foxit PDF reader plugin for web browsers allows miscreants to compromise computers and install malware. There’s no patch for this zero-day vulnerability.
Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link. The plugin is kicked into action by the browser to handle the file and promptly bombs.
But the bug is not triggered by a ■■■■■-trapped document, which is the usual way of infecting systems running insecure PDF readers. Instead, clicking on a link to any PDF that deliberately includes a very long query string after the filename causes a buffer overflow in the Foxit plugin.