Responsible Disclosure

As part of our research, we started a responsible disclosure procedure after we identified 21 out of 22 desktop viewer applications vulnerable against at least one of our attacks.

In cooperation with the CERT-Bund, the national CERT section of BSI, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues, and three generic CVEs for each attack class were issued: CVE-2018-16042 (USF), CVE-2018-18688, CVE-2018-18689.

Acknowledgements

We would like to thanks the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.