Researchers break digital signatures for most desktop PDF viewers

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Researchers faked signatures on 21 of 22 desktop PDF viewer apps and 5 out of 7 online PDF digital signing services.

A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services.

This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names.
The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services.
At the end of this article are images showing which PDF apps and web-based PDF signing services were vulnerable and to what of the three vulnerabilities.

"If you use one of our analyzed Desktop Viewer Applications you already should have got an update for your reader," researchers said. Users who haven't installed any updates to their PDF apps lately should look into updating their client to prevent it from loading forged digitally signed PDF docs. The web services listed in the report fixed the issues by applying server-side fixes.

"Currently, we are not aware of any exploits using our attacks," researchers said.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top