Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Digital Software Technology

Researchers Break Digital Signatures For Most Desktop PDF Viewers (zdnet.com) 28

An anonymous reader quotes a report from ZDNet: A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services. This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names. The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services. The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products. In research published today, the Ruhr-University Bochum team described three vulnerabilities that they found in the digital signing process used by several desktop and web-based PDF signing services. Summarized, they are:

1. Universal Signature Forgery (USF) -- vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.
2. Incremental Saving Attack (ISA) -- vulnerability lets attackers add extra content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking the already-existing signature.
3. Signature Wrapping (SWA) -- vulnerability is similar to ISA, but the malicious code also contains extra logic to fool the signature validation process into "wrapping" around the attacker's extra content, effectively digitally signing the incremental update.
Additional details about the three vulnerabilities are available in this PDF research paper [1, 2], this blog post, and this dedicated website.
This discussion has been archived. No new comments can be posted.

Researchers Break Digital Signatures For Most Desktop PDF Viewers

Comments Filter:
  • by PaulBu ( 473180 ) on Monday February 25, 2019 @07:22PM (#58179668) Homepage

    And how then we are supposed to know that this is really from these researchers??? :)
    Paul B.

    • Comment removed based on user account deletion
      • You guys both think you're funny, but you're actually highlighting the really horrifying facet of this problem here. You might be able to tell yourselves "It's fine I'll just use GPG too." but for the vast majority of the population and major institutions, security is effectively dead now, and they're trying to alter their business plans to adapt to making money in an environment where the forgone conclusions are that no system is secure-able and the only thing left with any value is your stolen identity.

        • You guys both think you're funny, but you're actually highlighting the really horrifying facet of this problem here. You might be able to tell yourselves "It's fine I'll just use GPG too." but for the vast majority of the population and major institutions, security is effectively dead now, and they're trying to alter their business plans to adapt to making money in an environment where the forgone conclusions are that no system is secure-able and the only thing left with any value is your stolen identity.

          If they're just doing that now they're at least a decade too late.

  • According to the article, Adobe 9 for Linux is the only secure reader. TLDR, don't run windows or mac!

  • So, can somebody who RTFA or otherwise knows this topic, did they crack PGP or are we still good here?

  • How can i validate my class 3 digital signature [signyourdoc.com] online

Nothing ever becomes real till it is experienced -- even a proverb is no proverb to you till your life has illustrated it. -- John Keats

Working...