PDF without Adobe: 12 Vulnerabilities in digital signing

No sooner do I write here about digital signatures in PDF documents than they’re revealed to have been vulnerable to spoofing. This has allowed the forging of digital signatures in almost all products, local and online, until very recently, although I’m not aware of any examples of this being exploited, yet.

Research by Vladislav Mladenov and others at the Ruhr University Bochum and Hackmanit GmbH has just been published, which provides full details of the vulnerabilities and problems that arise from them. If you use digital signatures, I strongly recommend that you read their account carefully. Here I provide a short summary of its implications for Mac users.

All the Mac apps which they tested were vulnerable to at least one of their three exploits, although they didn’t assess all Mac apps which claim to be compatible with digital signatures. Since they performed those tests last year, most if not all products have been updated. The vulnerable versions which you should ensure are updated include:

  • Adobe Acrobat Reader DC 2018.011 and 2019.008.20080
  • Adobe Reader XI 11.0.10 and 11.0.23
  • Foxit Reader 9.1.0 and 9.2.0
  • LibreOffice and

and versions of Master PDF Editor, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018 and PDF Studio Pro.

Of the products which I have looked at so far on macOS Mojave, only Adobe Acrobat appears able to examine and check the signature in documents which demonstrate these vulnerabilities, and it was the only product which now correctly reports that spoofed signatures are not valid. If you need to check digital signatures in PDFs on the Mac, you are going to have to do so using either the free Acrobat Reader or Acrobat Pro.

As far as I can see, current versions of Preview, PDF Expert, PDFpenPro and Podofyllin don’t perform any meaningful checks of digital signatures in PDF documents.

The researchers also assessed several online validation services, including DocuSign, of which only one (DSS Demonstration WebApp 5.4) wasn’t vulnerable. DocuSign and two others are reported as not having fixed their vulnerabilities yet (as of 27 February 2019).

These researchers point out that their exploits use PDF version 1.4, rather than the full-blown ISO standard, and that they haven’t examined variant standards such as PDF/A, which use digital signatures to verify the integrity of a document.

If you need to add digital signatures to PDF documents, or need to check that digital signatures are valid, then for the moment at least you will need to use the latest release of Adobe Acrobat. No other Mac app will do, I’m afraid.