PDF Vulnerabilities

PDF’s are used daily by most businesses for multiple reasons. Throughout the pandemic however they have become increasingly popular to send and sign agreements digitally. A new report however has found a security vulnerability in most certified PDF application that can leave businesses exposed to attack.

Researchers explained certified PDFs use two specific signatures to authenticate the document, an Approval signature and a Certification signature. Certification signatures are the more flexible and made to handle complicated agreements between multiple parties and allow some changes to the document within a set of parameters while still maintaining its integrity.

Certified signatures is where the vulnerability lies and where the researchers found two specific vulnerabilities which have now been called “Evil Annotation” (EAA) and “Sneaky Signature” (SSA). Both allow an attacker to overlay malicious content (PDF) on top of the certified information without showing any signs it was changed.

EAAs display malicious content in the document’s annotations and then sends it on with its digital signature intact. SSAs add malicious content over original content in the PDF itself.

These vulnerabilities where found in 26 certified PDF applications when tested by researchers. Adobe had an additional vulnerability that allowed certified documents to execute JavaScript code. This could open up users to SQL Injection attacks.

The researchers said it disclosed their findings to the appropriate business who created the PDF software and provided a vulnerability report, including exploits, after penetration testing.

To stop off Evil Annotation Attacks, the researchers recommend admins prohibit three  annotations that allow text or images to be added to a certified PDF, “FreeText, Stamp and Redact.”

If you have a piece of software in your business that you have created and are worried about its security and unknown vulnerabilities, a penetration test by a cyber security team such as Cybx is the best way to find so you are able to fix just like what happened to these PDF applications.