Threat identified, and promptly neutralized
On Friday, Jan.18, a third-party researcher (Fernando Muñoz) informed Secunia Research SVCRP of a possible issue with the PDF-XChange Viewer: Build 2.5.207 whereby an embedded JPEG stream within a PDF file could be exploited by malicious people to compromise a vulnerable system.
Questionable as the threat was to our customers, it was treated with extreme importance. Within 24 hours Tracker Software issued a new release with protection against this potential, if unlikely, risk.
All Tracker Software clients are urged to update to our latest, free PDF-XChange Viewer: Build 2.5.208 as soon as possible.
The specific technical nature of the threat was: Hypothetical/potential exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious PDF document where a memory override can occur on handling the corrupted Define Huffman Table header of a JPEG image file stream.
Acknowledging software defects and security holes is inevitable and Tracker Software treats mission-critical defects and security issues very seriously.
Prompt responses to software defects and security holes have always been — and will continue to be — a top priority of Tracker Software’s product service.
Our known security issue list — a total of four in more than 15 years of product releases and approximately 150 million client installations — is much shorter than that of our competitors’ due to the robust design of our products.
Tracker has published all the historic security issues on its website and keeps tracking potential security issues on daily basis.
We will continue to ensure our clients are protected with quality products and prompt action to resolve any issues found.
All product downloads are available here: