DLL hijacking vulnerability

[jsantana]

There has been a lot of press of the "Dll hijacking vulnerability" recently. There are reports of over 200+ apps being vulnerable. I was wondering if PDF-Xchange was vulnerable to this and if so, is an update going to be released in the near future?

Regards

[John - Tracker Supp]

We are indeed testing now - the latest release appears to be secure - we will finish testing later today and supply a definitive answer.

Some earlier builds however could be affected and we cannot test all - so I would strongly suggest updating to the latest release.

https://www.pdf-xchange.com/product/downloads

HTH

[John - Tracker Supp]

Further to a communication received today and a reported potential Windows vulnerability located affecting almost every application running on MS Windows operating systems (see links below)

http://blog.metasploit.com/2010/08/expl ... flaws.html

and

https://www.microsoft.com/technet/secur ... 69637.mspx

We have run all the suggested tests on both build 2.0050 and 2.0054 (the current latest release) of the PDF-XChange Viewer and concluded that whilst the initial tests suggest a potential flaw is possible - once the full tests are run - the results come back that the PDF-XChange Viewer is in fact not affected - on either build detailed.

After further exhaustive testing - we do accept however that there is still some (almost inconceivably small) potential 'latitude' for an exploit to occur and we will be adding additional security code to fully block any potential for substitute dll's to be used from any location other than the required genuine DLL's.

This build will be available (2.00.55) during the week beginning September 6th 2010 as part of our scheduled product update offering.

HTH

[yehgdotnet]

The vulnerable DLL is wintab32.dll

We're looking forward to fix version.

[John - Tracker Supp]

Hi,

yes - we are well aware of the DLL and as previously mentioned - if you run the full test made available - PDF-XChange Viewer is actually removed from any listing as being affected - however it is 'remotely' and theoretically (just about) conceivable in very very specific circumstances that this could be used - which is what we will block in an upcoming release next week.

HTH

[Spiff]

Secunia Advisory SA41197 labels this vulnerability as "Highly critical".
See:
http://secunia.com/advisories/41197/
http://secunia.com/community/advisories/terminology/

[Spiff]

HTH

"Hit The Hay" ?

[John - Tracker Supp]

If you prefer

But actually meaning - 'Hope that Helps'

[Spiff]

Last night, I noticed v2.0.0055.0 was available.
I suppose the insecure library loading vulnerability (dll hijacking vulnerability) is fixed in that new build?

I see that there's not yet a change log for that new build, at the PDF-XChange Viewer Version History page.
https://www.pdf-xchange.com/PDFXV_history.html
When will that page be updated?

Thanks very much.

[Ivan - Tracker Software]

Yes, this possible vulnerability is fixed in just released build 55.
Build history for this build will be available a bit later.

[Spiff]

Dear Tracker Software,

Build 55.0 was released last Friday night.
Yesterday, Secunia confirmed that this update fixed the mentioned vulnerability.
http://secunia.com/advisories/41197

But still, the PDF-XChange Viewer Version History page does not show the new build's change log.
https://www.pdf-xchange.com/PDFXV_history.html

I know that it takes Tracker Software a couple of days to add the newest release to that history page, usually (as also mentioned by Bhikkhu Pesala, in another thread), but I don't understand why.
As you release a new build, wouldn't it be rather easy to add that build's change log to the history page, right away?



Thanks very much
and kind regards,

Spiff

[John - Tracker Supp]

Hi,

Would you prefer we hold up the release until we have had time to update the version history ?

We usually prepare a release late on a Friday or over the weekend and this always results in a spate of requests, language file updates and developer communications - I appreciate the Version history is useful - but if you really need that to make a decision on whether to update or not - you do have the choice of waiting until done.

It will be updated today.

[Spiff]

Hi John,

Thanks very much for your reply.

You asked, "Would you prefer we hold up the release until we have had time to update the version history ?"
No, of course not.
My apologies if I was a bit of a bore.

I never realized that releasing a new PDF-XChange Viewer build would come with so much little adjustments and so much work to do at the last moment. If I knew, I would've seen how that would result in the fact that there would not be a ready-made change log. If I knew, I hadn't been whining about it.

You said, "I appreciate the Version history is useful - but if you really need that to make a decision on whether to update or not - you do have the choice of waiting until done."
No, of course I didn't need the change log to make a decision on whether to update - I updated right away. I always do.
But an up to date Version History would've been helpful for mentioning the new build at another forum, that of Security.nl, a Dutch information security, privacy and data protection site (where there are quite some PDF-XChange Viewer fans).
I did post the news at that forum, but it would've been nice if the change log would've been available, already.
That was why I was whining about that change log.
Sorry about that.


Thanks again
and kind regards,

Spiff

[John - Tracker Supp]

Hi Spiff,

thanks for your reply and I do empathise with you regarding the Viewer revision history - I agree in an ideal situation it would be ideal if it were posted at the same time, the problem is the person responsible is not the same as the people making the actual code udpates - so some dialog has to occur between the 2 departments to ensure the information is available and then correctly transcribed and written and this is what takes the time - typically 1 or 2 'working' days (rather than weekend days) after the release to gather all the info and get it up.

We will try harder to make it more timely and thanks for your support in every sense - it really is appreciated

[Spiff]

Thanks very much again, John,

Your reply and your explanation is really appreciated, also.
Very clear, thank you.


Kind regards,
Spiff

[John - Tracker Supp]

Pleasure Spiff