Menu
Contact Sales »

Security Updates

Originally published: 11/17/2017
Last updated: 11/17/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.6 and prior
10.5.9.14 and prior
A vulnerability exists in the Doc.SaveAs function which
could be exploited by a specially crafted PDF file,
potentially leading to a File Write taking place outside
of the intended path.
CVE-2017-7442
11.0.6 and prior
10.5.9.14 and prior
A vulnerability exists in the Doc.SaveAs function which
could be exploited by a specially crafted PDF file,
potentially leading to a URL launch taking place in
conjunction with a Security Alert.
CVE-2017-7442

Solution

Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10 Nitro is unable to fix this vulnerability in Nitro Pro 10. Please upgrade to the latest version of Nitro Pro 11 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Originally published: 9/27/2017

Last updated: 9/27/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.5.271 and prior
10.5.9.14 and prior
A memory write vulnerability that could potentially be
exploited when opening a specially crafted PDF file, with
a specific Count field, leading to memory corruption and
a crash.
CVE Pending
11.0.5.271 and prior
10.5.9.14 and prior
A use-after-free vulnerability exists that could potentially
be exploited when opening a specially crafted PDF file
containing a malformed JPEG2000 image, leading to
memory corruption and a crash.
CVE Pending

Solution

Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10 Nitro is unable to fix this vulnerability in Nitro Pro 10. Please upgrade to the latest version of Nitro Pro 11 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Originally published: 7/21/2017

Last updated: 8/25/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.3.173 and prior
10.5.9.14 and prior
An out of bound memory write vulnerability that could
potentially be exploited when opening a specially crafted
PDF file, leading to memory corruption and a crash.
CVE-2017-2796
11.0.3.173 and prior
10.5.9.14 and prior
A heap overflow vulnerability that could potentially be
exploited when opening a specially crafted PCX image
file, resulting in memory corruption and a crash.
CVE-2017-7950

Solution

Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10 Nitro is unable to fix this vulnerability in Nitro Pro 10. Please upgrade to the latest version of Nitro Pro 11 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Originally published: 2/3/2017

Last updated: 8/25/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.3.134 and prior
10.5.9.9 and prior
A specially crafted PDF file can potentially cause
memory corruption leading to a crash.
CVE-2016-8709
CVE-2016-8713
11.0.3.134 and prior
10.5.9.9 and prior
A potential remote code execution vulnerability in the
PDF parsing functionality of Nitro Pro.
CVE-2016-8711

Solution

Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10.5.9.14+ Please update to the latest version of Nitro Pro 10 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Nitro Security Vulnerability Policy & Process

Nitro’s commitment to the security of its products and services is a core value. Through proactive security design and testing, Nitro is proud to have required few historical security updates. Central to this philosophy is how Nitro manages security vulnerabilities, including those reported to Nitro by third parties.

Reporting a Vulerability

All Nitro security vulnerabilities should be reported via email to the Nitro Security Team at security@gonitro.com. Please provide the version/build affected, concise steps to reproduce the vulnerability that are easily understood, and include a proof-of-concept file. While Nitro appreciates reported bugs and vulnerabilities, Nitro does not provide rewards or acknowledgements for bug or security vulnerability submissions.

Nitro Security Vulnerability Process:

(1) Nitro will acknowledge and assess any vulnerability reported according to the instructions above, typically within 7 days.

(2) When a vulnerability is confirmed, Nitro will conduct risk analysis using the Common Vulnerability Scoring System (CVSS v3) and determine the most appropriate response for Nitro customers.

  • Critical security updates: Issues within the software that, if not addressed, pose a high risk and probability of unauthorized access, alteration or destruction of information on a user's computer or connected computers. Nitro will resolve critical security updates by providing a critical update to the current and previous released software version, or a major upgrade to the current and/or previous release.

  • Non-critical Security updates: Issues within the software that, if not addressed, pose a low to moderate risk and probability of unauthorized access, alteration or destruction of information on a user's computer or connected computers. Nitro will resolve non-critical security updates by providing a minor update or major upgrade to the current release.

(3) Nitro will design, implement & test any security updates, and make them available to customers on supported software versions; typically within 90 days.

(4) Nitro will publicly disclose all critical security vulnerabilities, affected versions, and relevant details of any updated releases that address the issues, on this Security Updates page.

For more information, please contact the Nitro Security Team at security@gonitro.com