An Interest In:
Web News this Week
- March 29, 2024
- March 28, 2024
- March 27, 2024
- March 26, 2024
- March 25, 2024
- March 24, 2024
- March 23, 2024
Some of Our Sources
- BoingBoing
- Web Designer Wall
- The Logo Smith
- Fuel Your Creativity
- FanExtra - PSD
- Fudge Graphics
- CSS Globe
- Spyre Studios
- Willems Lab
- The Verge
Help Webnuz
Referal links:
February 26, 2019 12:10 am
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/SsXEkSxVBZI/researchers-break-digital-signatures-for-most-desktop-pdf-viewers
Researchers Break Digital Signatures For Most Desktop PDF Viewers
An anonymous reader quotes a report from ZDNet: A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services. This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names. The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services. The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products. In research published today, the Ruhr-University Bochum team described three vulnerabilities that they found in the digital signing process used by several desktop and web-based PDF signing services. Summarized, they are: 1. Universal Signature Forgery (USF) -- vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.2. Incremental Saving Attack (ISA) -- vulnerability lets attackers add extra content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking the already-existing signature.3. Signature Wrapping (SWA) -- vulnerability is similar to ISA, but the malicious code also contains extra logic to fool the signature validation process into "wrapping" around the attacker's extra content, effectively digitally signing the incremental update. Additional details about the three vulnerabilities are available in this PDF research paper [1, 2], this blog post, and this dedicated website.Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/SsXEkSxVBZI/researchers-break-digital-signatures-for-most-desktop-pdf-viewers
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot