One news publication I’ve written a fair amount of content for always required that writers prepare and submit invoices in PDF form, ostensibly because they’re less susceptible to manipulation compared to a garden variety text-based document. At least that’s what I think the reason for that mandate was, not that it matters to writers much. If that directive is how you get paid, then that’s what you do, even though — well, let’s just say that anyone who has held that assumption about the nature of PDFs needs to disabuse themselves of it pretty quickly.
Researchers with Germany’s Ruhr-University Bochum, presenting at this year’s IEEE Symposium on Security and Privacy, walked through security flaws inherent in PDFs that have already been patched by most applications that read these documents, but the implications here are scary, nonetheless.
Basically, the researchers found a way to alter both the signature process of PDFs as well as to annotate changes. As they explain on their blog, “we performed an extensive analysis of the security of PDF certification. In doing so, we developed the Evil Annotation Attack (EAA), as well as the Sneaky Signature Attack (SSA).
“The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits. We improved both attacks’ stealthiness with applications’ implementation issues and found only two applications secure to all attacks.”
It certainly sounds like the intended use case of a security flaw like this is the equivalent of forging someone’s name on a contract or document that they wouldn’t otherwise sign — or, via the ability to annotate a PDF, perhaps to insert clauses or other features of an agreement that the person didn’t believe was part of the document that they originally signed. It’s a little bit of a head-scratcher though, since one way of protecting yourself from this kind of thing would seem to be … just keeping a copy of the signed, original document for yourself for literally this reason?
This all comes, by the way, just a few weeks after Adobe Acrobat issued a patch for a zero-day that targeted Windows users specifically. Not long after, as we noted here, researchers with Microsoft Security Intelligence revealed that PDFs were the vector whereby attackers were disseminating a Java-based remote access Trojan that could do everything from logging user keystrokes to stealing credentials, and much more.