Desktop Viewer Applications

Legend:

- Exfiltration (no user interaction)
- Exfiltration (with user interaction)
- No exfiltration / not vulnerable

Windows

Application	Version	Direct Exfiltration	CBC Gadgets
Adobe Acrobat DC	2019.008.20081
Foxit Reader	9.2.0.9297
PDF-XChange Viewer	2.5.322.9
Perfect PDF Reader	8.0.3.5
PDF Studio Viewer	2018.1.0
Nitro Reader	5.5.9.2
Acrobat Pro DC	2017.011.30127
Foxit PhantomPDF	9.5.0.20723
PDF-XChange Editor	7.0.326.1
Perfect PDF Premium	10.0.0.1
PDF Studio Pro	12.0.7
Nitro Pro	12.2.0.228
Nuance Power PDF	3.0.0.17
iSkysoft PDF Editor	6.4.2.3521
Master PDF Editor	5.1.36
Soda PDF Desktop	11.0.16.2797)
PDF Architect	7.0.23.3193
PDFelement	6.8.0.3523

Mac

Application	Version	Direct Exfiltration	CBC Gadgets
Preview	3.32.0
Skim	1.4.37

Linux

Application	Version	Direct Exfiltration	CBC Gadgets
Evince	10.0.944.4
Okular	1.7.3
MuPDF	1.14.0

Web

Application	Version	Direct Exfiltration	CBC Gadgets
Chrome	70.0.3538.67
Firefox	66.0.2
Safari	11.0.3
Opera	57.0.3098.106

Download PoCs

You can get all Proof-of-Concept exploits in one .tgz file via the following link.

CVEs/Fixes

Adobe: CVE-2019-8237
MacOS, PDFKit: CVE-2019-8772
Google Chrome (private bugs 959183, 959795)
PDF-XChange Editor/Viewer: Fix against Direct Exfiltration by throwing a warning and letting the user decide if the document is trusted. If not -- only encrypted parts are processed. No countermeasure against CBC gadgets is implemented.
Master PDF Editor: no countermeasures will be implemented

Responsible Disclosure

As part of our research, we started a responsible disclosure procedure.

In cooperation with the CERT-Bund, the national CERT section of BSI, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues.