Serious vulnerabilities in the Able2Extract Professional tool of Investintech may be exploited by hackers, which allow them to use specially crafted image files to execute arbitrary code.
According to Investintech, Able2Extract Professional has more than 250,000 registered users in 135 countries, including 90% of Fortune 100. The platform-based tool enables users to view, convert and edit PDF files.
Researchers at Cisco Talos discovered that the ability of Able2Extract Professional to execute arbitrary code on the targeted machine has two high-severity memory corruption vulnerabilities.
The vulnerabilities monitored under the words CVE-2019-5088 and CVE-2019-5089 can be used using JPEG or BMP image files specially created to cause an out – of-bounder memory. If an attacker can persuade the target user to open such a file with Able2Extract Professional, they can run code on the machine of the victim.
Cisco Talos said it reported Investintech vulnerabilities in early August and that a patch was released on 1 November, but it is not clear which version includes the correction. Talos has replicated version 14.0.7 x64 vulnerabilities.
For both vulnerabilities, Talos has provided technical details. These types of security troubles can be extremely useful for attackers given the large user base of Able2Extract Professional.
Able2Extract is not the only PDF method that has established vulnerabilities for Talos researchers. We have also found significant defects in Aspose and Foxit products.