Frequently Asked Questions

Why did you not analyzed Viewer X

We analyzed all PDF applications, which we could identity for signature support. See the following table.

List of PDF Software [1]

Category OS Tool Signatures
Browser multiple Chrome N
Browser multiple Edge N
Browser multiple Firefox (pdf.js) N
Browser multiple Internet Explorer N
Browser multiple Opera N
Viewer multiple MuPDF N+
Viewer Windows PDF Reader (Windows Store App) N
Viewer Windows PDF Viewer Go N
Viewer Windows PDF Viewer Plus N
Viewer Windows Slim PDF N
Viewer Windows STDU Viewer N
Viewer Windows Sumatra PDF N
Viewer Windows Ultra PDF Viewer N
Viewer Windows Xodo N
Viewer Linux Okular N
Viewer Linux Evince N
Viewer Linux Zathura N
Viewer Linux Xpdf N
Viewer Linux Qpdfview N
Viewer Windows PDF Doc N
Editor multiple Corel PDF Fusion N
Editor multiple Smallpdf N
Viewer multiple Adobe Reader Y
Viewer multiple Foxit Reader Y
Viewer Windows eXpert PDF 12 Ultimate Y
Viewer Windows Expert PDF Reader Y
Viewer Windows Nitro Reader Y
Viewer Windows Perfect PDF Viewer (Windows Store App) Y
Viewer Windows PDF Experte 9 Ultimate Y
Editor multiple Adobe Acrobat Y
Editor multiple iSkysoft PDF Editor pro Y
Editor multiple LibreOffice Y~
Editor multiple Master PDF Editor Y~
Editor multiple Nuance Power PDF Y
Editor multiple Perfect PDF (Desktop Application) Y
Editor multiple PDF Studio Y
Editor Windows PDF Architect 6 Y
Editor Windows PDFelement Y~
Editor Windows PDF-XChange Y
Editor Windows Soda PDF Y

+only signing supported

~only visible signatures supported

#verification with command line tool

*according to vendor's website, not manually verified!

Where are the PDF libraries?

In the first phase of our security evaluation we concentrated on pdf viewer and online validation services, since they give a clear indication wether the attack was successful. To this point, we did not analyze PDF libraries like poppler (pdfsig) or pdfbox, since different configurations are possible. For example, the validation of a signed pdf can be executed with different calls in pdfbox.

Did you analyzed other standards then PDF?

No, we only analyzed signatures in standard PDF version 1.7, without standards like PDF/A. Our exploits are using PDF version 1.4.

How to test your application/library/service

To test if our attacks can bypass your signature validation and/or your application logic, you can download the provided PoCs from our website and open the files. If your application can not detect the modification or shows no warning/error to the user that the document was modified after the signature creation your application is vulnerable.

Disclaimer: We provided a list of PoCs for which we know they can be used to bypass a set of applications. We created this PoCs over several months of intensive testing and fine tuning. Just because your application was able to detected all PoCs, it does not mean your application is secure against our attacks. To best of our knowledge you are only secure against such attacks, if you signature verification works as described in our paper in Listing 2.

Where can I find the Exploits, example PDFs?

You can download the exploits (example PDFs) here

Yes, despite the resistance of some of the authors we have one under Apache 2.0 license.


last updated: 2019/02/28 - 11:50 AM