|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Mon Jan 04 2010 - 17:57:11 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
----------------------------------------------------------------------
Follow Secunia on Twitter
http://twitter.com/secunia
----------------------------------------------------------------------
TITLE:
PDF-XChange Viewer Content Parsing Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA37706
VERIFY ADVISORY:
http://secunia.com/advisories/37706/
DESCRIPTION:
Secunia Research has discovered a vulnerability in PDF-XChange
Viewer, which can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused due to an input validation error in
PDFXCview.exe when parsing certain content and can be exploited to
corrupt memory via a specially crafted PDF file.
Successful exploitation allows execution of arbitrary code when a
user views a malicious PDF document.
NOTE: The vulnerable code is e.g. also present in the bundled
PDF-XChange shell extension (XCShInfo.dll), which is installed by
default. This vector allows exploitation as soon as a user e.g.
selects a malicious PDF file or hovers the mouse pointer over it.
The vulnerability is confirmed in version 2.0.42.9. Other versions
may also be affected.
SOLUTION:
Update to version 2.044.
A fixed version is also bundled with version 4.0174 of the various
PDF-XChange editions.
PROVIDED AND/OR DISCOVERED BY:
Carsten Eiram, Secunia Research.
CHANGELOG:
2010-01-04: Added "PDF-XChange 4.x" as an affected product since
older versions bundle the vulnerable PDF-XChange Viewer product.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2009-64/
Tracker Software Products:
http://www.docu-track.com/news/show/80
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]