New 'Shadow Attack' can replace content in digitally signed PDF files

[silversurfer]

Content source

https://www.zdnet.com/article/new-shadow-attack-can-replace-content-in-digitally-signed-pdf-files/

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents.

The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF] published this week by academics from the Ruhr-University Bochum in Germany.

Image: Mainka et al. ​

PDF Insecurity Website

pdf-insecurity.org

 

[Gandalf_The_Grey]

From the article:

PATCHES ARE AVAILABLE
The research team said they worked with the CERT-Bund (Computer Emergency Response Team of Germany) to contact PDF app makers to report this new attack vector and have it patched before going public with their findings earlier this week.

The Shadow Attack is currently tracked with the CVE-2020-9592 and CVE-2020-9596 identifiers.

Companies should update their PDF viewer apps to make sure the PDF documents they sign can't be tampered with via a Shadow Attack.

So, nothing to worry about if your pdf software is up to date?

 

[Ink]

nothing to worry about if your pdf software is up to date?

Concerns are users who use manual updates, blocked checking for updates, or using older versions because they don't want to pay for the newer releases. Both for consumers and businesses.


I don't see Chrome or Chromium-Edge PDF "app" on the list, browser PDFs are unaffected?

 

[upnorth]

Was shortly debated also here.

Can You Trust Digital Signatures in PDF Files?

Hardly a company or government agency exists that does not use PDF files. And they often use digital signatures to ensure the authenticity of such documents. When you open a signed file in any PDF viewer, the program displays a flag indicating that the document is signed, and by whom, and gives...

malwaretips.com

CVE-2020-9592 and CVE-2020-9596 was patched in Adobe Reader in May this year 2020.

Adobe Security Bulletin

Security Update available for Adobe Acrobat and Reader | APSB20-24

helpx.adobe.com

As previous, PDF readers that can't view digitally signed documents this probably ain't an issue.

 

[CyberTech]

No vulnerable for SumatraPDF? I wish they could test it..

 

[upnorth]

No vulnerable for SumatraPDF? I wish they could test it..

If I was you @CyberTech I would check if Sumatra have any digital signed feature etc. Simply ask the support.

 

[SeriousHoax]

No vulnerable for SumatraPDF? I wish they could test it..

Sumatra doesn't support digital signatures because of security risk so no worries for us

digital signature support · Issue #59 · sumatrapdfreader/sumatrapdf

It would be great to have abilite to check digital signature in pdf -> Like in Adobe it should show that pdf is signed and with what signature, and who signed that digital signature. In version 3.0...

github.com