Tweet
Around the web, there is much noise about a security issue in Foxit Reader, described in Secunia Advisory SA51733 (http://secunia.com/advisories/51733/) and apparently originally in a post by Andrea Micalizzi (http://retrogod.altervista.org/9sg_foxit_overflow.htm).
I suspect that the update for the Foxit Firefox plugin that we received today through Foxit Updater may be a fix for this, but I see no official announcement of this from Foxit, and the Secunia page still says that Foxit has not released a fix.
If today's update fixes this, then I think Foxit should make a public announcement on its security page and also notify Secunia, Mr. Micalizzi and other web sites discussing the issues, just to assure users that all is now well again, if they install the update.
But if today's update does not fix this, at least Foxit should acknowledge that the issue exists (and will be fixed later), so users know not to use the browser plugin until there is a new update for it.
I do agree that Security holes should usually not be published until the fix has been rolled out to all 130 million users (because bad guys could then use the info to attack those without the fix), but in this case the cat is so obviously out of the bag, that secrecy no longer works, and the best Foxit can do is to acknowledge the issue and tell users what to do.
I suspect that the update for the Foxit Firefox plugin that we received today through Foxit Updater may be a fix for this, but I see no official announcement of this from Foxit, and the Secunia page still says that Foxit has not released a fix.
If today's update fixes this, then I think Foxit should make a public announcement on its security page and also notify Secunia, Mr. Micalizzi and other web sites discussing the issues, just to assure users that all is now well again, if they install the update.
But if today's update does not fix this, at least Foxit should acknowledge that the issue exists (and will be fixed later), so users know not to use the browser plugin until there is a new update for it.
I do agree that Security holes should usually not be published until the fix has been rolled out to all 130 million users (because bad guys could then use the info to attack those without the fix), but in this case the cat is so obviously out of the bag, that secrecy no longer works, and the best Foxit can do is to acknowledge the issue and tell users what to do.
Comment