MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
pdf
Search

Researchers Break Digital Signatures For Most Desktop PDF Viewers

Tuesday February 26, 2019. 01:10 AM , from Slashdot
An anonymous reader quotes a report from ZDNet: A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services. This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names. The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services. The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products. In research published today, the Ruhr-University Bochum team described three vulnerabilities that they found in the digital signing process used by several desktop and web-based PDF signing services. Summarized, they are:

1. Universal Signature Forgery (USF) -- vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.
2. Incremental Saving Attack (ISA) -- vulnerability lets attackers add extra content to an already signed PDF document via the 'incremental saving (incremental update)' mechanism, but without breaking the already-existing signature.
3. Signature Wrapping (SWA) -- vulnerability is similar to ISA, but the malicious code also contains extra logic to fool the signature validation process into 'wrapping' around the attacker's extra content, effectively digitally signing the incremental update. Additional details about the three vulnerabilities are available in this PDF research paper [1, 2], this blog post, and this dedicated website.

Read more of this story at Slashdot.
rss.slashdot.org/~r/Slashdot/slashdot/~3/SsXEkSxVBZI/researchers-break-digital-signatures-for-most-d...
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Current Date
Nov, Fri 22 - 13:58 CET