Which Acrobat Version is immune against signature spoofing?

Question

Hi all,some of you might have seen this: https://www.pdf-insecurity.org/  // https://www.pdf-insecurity.org/signature/viewer.html .My organisation currently uses Acrobat Pro DC 2015.006.30243 and Adobe Reader 11.0.10.What is a recommended "old", and secure version?Please keep in mind, that large scale orgs can't just download the latest software, as I would do on my personal machine.Ideally, a bug-fix update of Acrobat Pro DC 2015.x and Adobe Reader 11.x would be very helpful.Thanks in advanceMatt

margueritek · Accepted Answer

The table shows that Acrobat ahd Reader are only "vulnerable" to the USF (Signature forgery) exploit. But that is equivalent to removing the current signature, changing the file, and signing with a bogus signature, that is not trusted. Clearly the user error here is trusting the bogus certificate. Acrobat and Reader (starting with Acrobat 9, I think) are very careful to recreate a field appearance to match the field value, so one of the possible expolits (field value of 10,000,000 not matching an appearance of "100") won't work with Adobe's products.

Test Screen Name · Answer

If orgs will not consider downloading the latest software then they are leaving themselves open to attack. This is a very questionable policy. But you are running Reader XI and concerned about security? It is End Of Life and has known unfixed security issues.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded