Buzz
The current version of Nitro Pro PDF reader software has at least one vulnerability that could be exploited to execute remote code on the victim's server. And a third party is currently working on fixing this issue.
Nitro PDF Pro urgently requires patching for 7 hidden RCE vulnerabilities.
- Get your hands on Nitro Pro now!
The official patch from Nitro PDF Pro's developers is not available for this security issue. Intrusion could be achieved through a PDF file with a specific structure opened using vulnerable software versions.
Nitro PDF's main customer base consists of businesses, including national or global-scale companies. They utilize this tool as a replacement for Adobe Acrobat Pro.
Temporary fixes for 7 hidden vulnerabilities
CVE-2019-5050 is one of six vulnerabilities discovered by researchers at Cisco Talos in Nitro PDF Pro 12.12.1.522 and disclosed last week. It relates to the software's PDF parsing functionality. Researchers believe that with minimal effort, attackers could execute arbitrary code on the user's system.
Mitja Kolsek, CEO of Acros Security, the company behind the 0Patch platform, stated that this issue also exists in the latest release of Nitro PDF Pro, version 13.2.3.26, released on 9/27.
Last Friday, Kolsek announced that there is a patch to mitigate exploitation of CVE-2019-5050. He also mentioned that this patch will be released on Monday for Pro version users.
CVE-2019-5050 is the only security flaw discovered and confirmed by Cisco Talos researchers for the latest version of Nitro PDF Pro. However, Kolsek expresses doubt about this. And if his suspicions are correct, there will need to be a patch for all six of these vulnerabilities.
This is not the only issue with Nitro PDF. A similar flaw was reported to Acros Security and Nitro Software about 2 years ago; this issue cannot be fixed and still affects the current version.
Security Report Flagged as Spam
Cisco Talos first sent the report to Nitro Software on 5/7, but it wasn't until 3 months later, on 8/7, that they received a response.
Nitro Software remained silent by claiming that previous emails were flagged as spam. The security report received by Acros Security 2 years ago faced the same fate, although this is a significant oversight on the manufacturer's part.
According to Cisco's policy, vendors have 90 days to address incidents. Afterward, if the vendor fails to mitigate the risk or respond, the incident will be publicly disclosed.
Nitro Software received a report from Cisco Talos and announced that the issue would be addressed in the next release. However, they did not provide a specific timeframe. When Nitro PDF Pro has an official patch, it will be the latest security update in nearly two years.
If Nitro delays the patch, the tech giant Google will be much more assertive and vigorous in the user protection battle. Specifically, Google removes high-interest loan apps from its Play Store.
Don't forget to visit Mytour regularly to stay updated with the latest software and computer tricks.
