IT security experts discover how malicious code can be embedded in PDF documents

IT security experts at Ruhr University Bochum have discovered a security issue in the certification signatures of PDF documents. This is stated on the website of the educational institution.

A special form of signing PDF files can be used, for example, to conclude contracts. Unlike a regular signature, a certification signature allows certain changes to be made to a document after it has actually been signed. This is necessary so that the other party to the contract can also sign the document.

A team from the Institute for the Security of Information Technology. Horst Goertz in Bochum showed that the other party to the contract can also discreetly change the text of the contract by adding its digital signature, without revoking the certification. Researchers have also discovered a vulnerability in Adobe products that allows attackers to inject malicious code into documents.

By using certification signatures, the party who issues the document and signs it first can determine what changes the other party can then make. For example, you can add comments, insert text in special fields, or add a second digital signature at the bottom of your document. Bochum’s group violated the integrity of protected PDF documents with two attacks called Sneaky Signature Attack (SSA) and Evil Annotation Attack (EAA). In this way, the researchers were able to display fake content in the document instead of the certified one without revoking certification or warnings from PDF applications.

IT security experts tested 26 PDF applications, in 24 of which they were able to break the certification of at least one of the attacks. In 11 applications, the specifications for PDF certification were also incorrectly implemented.

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Alexandr Ivanov earned his Licentiate Engineer in Systems and Computer Engineering from the Free International University of Moldova. Since 2013, Alexandr has been working as a freelance web programmer.
Function: Web Developer and Editor
E-mail: except.freenews@gmail.com
Alexandr Ivanov

Spelling error report

The following text will be sent to our editors: