Digital Signatures in PDFs Are Broken

Researchers have demonstrated spoofing of digital signatures in PDF files.

This would matter more if PDF digital signatures were widely used. Still, the researchers have worked with the various companies that make PDF readers to close the vulnerabilities. You should update your software.

Details are here.

News article.

Posted on March 6, 2019 at 6:17 AM • 11 Comments


1&1~=UmmMarch 6, 2019 8:09 AM

"You should update your software."

If only that were possible without the issues and side effects.

There wasa time when PDF readers were simple and small, thus worked well on what is now considered 'antiquated hardware and OS' such as Windows XP running on 6 and more year old hardware with limited memory. Likewise a whole heap of 'mobile devices'.

For many many people PDFs realy nolonger serve the purpose they were selected for. PDFs also have a history of vulnerabilities due to a number of reasons intrinsic to the file format (it is after all a form of 'source code' not to disimilar to Forth).

Perhaps we should br looking to replace them with something more appropriate.

CallMeLatForSupperMarch 6, 2019 10:08 AM

The page at
displays as an unreadable mess on my Firefox 65.0.1.

The menu (at left)
How to break PDF Signatures
So what is the problem?
Who uses PDF Signatures?
How bad is it?
How can I protect myself?
My PDF Reader is not listed
Continue reading
obliterates all text below it and cannot be dismissed.

CallMeLateForSupperMarch 6, 2019 10:31 AM

I count 6 Linux readers listed among the "Tested". My reader - part of an Ubuntu 16.04 LTS distribution, I believe - is "Document Viewer 3.16.2" and is not among those 6. Strange.

Counterintuitively, the only tested reader that didn't yield to any of the three attacks is an Adobe product.

Martin GrotheMarch 6, 2019 10:54 AM

@CallMeLatForSupper: I had no problems with Firefox 65.0.2.

We only tested viewer which has the capability to verify signatures. If I am correct, Document Viewer under Ubuntu 16.04 is evince, which can not verify signatures.

See also:

Kind regards,
Martin Grothe

ktsMarch 6, 2019 11:03 AM

(it is after all a form of 'source code' not to disimilar to Forth). Perhaps we should br looking to replace them with something more appropriate.

It's like the early 90s all over again. PDF was, itself, developed to be intentionally Turing-incomplete—based on experience from its predecessor, PostScript. And then in PDF 1.2 Adobe added JavaScript.

Microsoft did create OpenXPS as a PDF replacement; it never became popular.

MKMarch 6, 2019 7:56 PM

It's really easy to create a non-conforming PDF, and many (most) viewers won't even notice.

Gerard van VoorenMarch 6, 2019 11:02 PM

@ kts,

About OpenXPS,

We all know the problems that MS has with its own software.

About PDF 1.2,

The benefits of having a FOSS implementation is that you can choose which features you want to use.

HermanMarch 7, 2019 3:36 AM

Digital signatures, as implemented in pretty much all corporate environs don't work anyway:
1. The PC doesn't belong to the user, it belongs to IT.
2. IT has backdoor access to the PC.
3. IT creates the signature pairs.
4. The user has no way to verify the signatures - they can be all zeroes - they can be all the same...
5. When a user signs the document, it is actually signed with the IT signature on the IT PC - therefore, the user didn't sign the document - IT signed it.
6. Since IT has access to all PCs, they can sign anything with any signature and nobody will be any the wiser.

So, this latest found bug, is a bug in a useless system which doesn't matter really.

1&1~=UmmMarch 9, 2019 12:49 AM

@Duff Johnson:

"The headline is misleading."

Hmm, let me see what misleading means, according to the Oxford English Dictionary (OED),

'Giving the wrong idea or impression.'

You then say without explanation,

"This is a vulnerability in processors, not in PDF."

Where you are actually using 'processors' as a term of art in a way particular to the PDF Assosciation standards descriptions.

Where what you actually mean is that there are multiple but independent software applications in the PFF market place where there are 'implementation issues in software that interprets the PDF file format', but that 'the PDF file format standard omits the handling of digital signitures'. But this will all be explained IF people take out PDF Association membership?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.