1. The application loads libraries (e.g. dwmapi.dll) in an insecure manner, which can be exploited to load arbitrary libraries by tricking a user into e.g. opening a PDF file located on a remote WebDAV or SMB share.
2. A boundary error in the bundled PDF Reader ActiveX control (ePapyrusReader.ocx) when handling arguments passed to the "open()" method can be exploited to cause a stack-based buffer overflow.
3. Two boundary errors in ePapyrusReader.ocx when handling arguments passed to the "open_stream()" method can be exploited to cause heap-based buffer overflows.
4. A use-after-free error in ePapyrusReader.ocx when handling arguments passed to the "open_stream()" method can be exploited to dereference already freed memory.
5. A use-after-free error in ePapyrusReader.ocx when encountering corrupted arrays in a dictionary can be exploited to dereference already freed memory via a specially crafted PDF file.
6. The unsafe "RemoveFile()" method provided by ePapyrusReader.ocx allows deleting arbitrary files on a user's system.
7. The unsafe "DownloadFTP()" method in combination with the "SetFTPInfo()" method provided by ePapyrusReader.ocx allows downloading arbitrary files to a user's system.
8. The unsafe "UploadFTP" method in combination with the "SetFTPInfo()" method provided by ePapyrusReader.ocx allows retrieving arbitrary files from a user's system.
The vulnerabilities are confirmed in version 4.0.1.758 bundling ePapyrusReader.ocx version 1.6.2.1874. Other versions may also be affected.
Solution: Set the kill-bit for the affected ActiveX control and do not open untrusted PDF files.