Has a security vulnerability been identified in eLynx's SwiftView Viewer software?
Yes. CERT (a federally funded program that is part of Carnegie Mellon's Software Engineering Institute) identified a potential security vulnerability in the SwiftView Viewer ActiveX control.
This control is used to enable the Viewer to work within Microsoft's Internet Explorer web browser.
The vulnerability also exists in the SwiftView Firefox browser plugin.
Have any SwiftView Viewer customers experienced problems resulting from this vulnerability?
No. CERT has identified only a potential threat.
There are no known public exploits of this vulnerability at this time, and the details of the vulnerability have not been divulged outside of CERT and eLynx, Inc.
What is the risk to users of the SwiftView viewer software?
There is very little risk to users from this vulnerability at the present time.
Once the vulnerability becomes generally known on the internet, someone could exploit it.
Are all users of the SwiftView PCL Viewer potentially at risk?
Only users with either the plugin or ActiveX control installed and functioning in a browser are vulnerable.
Standalone SwiftView and SwiftView for unix are not affected.
What user actions could trigger an exploit?
Users are only vulnerable if they visit an unknown, untrusted website, e.g. by clicking on a web link in an email message.
This vulnerability cannot be exploited during normal use of the software with legitimate websites or valid documents.
What is the specific vulnerability that CERT identified?
CERT found and exploited a buffer overflow condition that can be used to execute code on the user's system.
It can only be exploited in a web browser, via a malicious web site containing an instance of the SwiftView ActiveX control or plugin.
When will eLynx eliminate this potential vulnerability?
Release 8.3.5 of our SwiftView PCL Viewer software eliminates this potential vulnerability.
Will all SwiftView and SwiftSend users need to upgrade to the latest version once eLynx releases an update to address this vulnerability?
All SwiftSend users should upgrade. Only those SwiftView users who have installed the ActiveX control or plugin will need to upgrade.
All SwiftView customers distributing SwiftView, e.g. on internet-accessable websites, are strongly encouraged to upgrade their distribution copy as soon as possible.
Initially, SwiftSend customers will be notified by email of the need to upgrade.
eLynx will provide instructions and phone-based support for our customers if they need assistance in completing the upgrade process.
Future SwiftSend releases will encourage, then at some point require that all users upgrade.