Possible threat identified, and promptly neutralized
On Wednesday, Jan.24, a third-party researcher (Sebastian Feldmann) from usd AG informed us of a possible issue with the PDF-XChange Viewer and Viewer AX SDK: Build 2.5.322.7 whereby a specially constructed PDF file could be exploited by malicious people to compromise a vulnerable system.
Questionable as the threat was to our customers, it was treated with extreme importance. Within 24 hours Tracker Software issued a new release with protection against this potential, if unlikely, risk.
All Tracker Software clients are urged to update to our latest, free PDF-XChange Viewer: Build 2.5.322.8 as soon as possible.
The specific technical nature of the threat was: Hypothetical/potential exploitation in the way we were handling conversion from YCC to RGB colour spaces for corrupted images that were treated like 1 bpc instead of 8bpc, that may allow execution of arbitrary code, but requires tricking a user into opening a malicious PDF document where a memory override can occur.
Acknowledging software defects and security holes is inevitable and Tracker Software treats mission-critical defects and security issues very seriously.
Prompt responses to software defects and security holes have always been — and will continue to be — a top priority of Tracker Software’s product service.
Our known security issue list — a total of five in more than 20 years of product releases and approximately 200 million client installations — is much shorter than that of our competitors’ due to the robust design of our products.
Tracker has published all the historic security issues on its website and keeps tracking potential security issues on daily basis.
We will continue to ensure our clients are protected with quality products and prompt action to resolve any issues found.
All product downloads are available here: