Copy link to clipboard
Copied
Hello,
Does anyone know if Adobe has patched the known issue with the redaction function not successfully sanitizing CMap objects when the source document is originated from CutePDF or LibreOffice Writer documents? This article from April 2019 described the security vulnerability: https://www.cyber.gov.au/publications/redaction-functionality-in-adobe-acrobat-pro
Below is the vulnerability they described in the article above:
Remnants of redacted information were recovered from PDF documents created with CutePDF and LibreOffice Writer.
The remnants of redacted information were located within objects containing embedded font maps (CMap objects) [7]. The ability to recover these data remnants was the result of differences in the mechanisms used by CutePDF and LibreOffice Writer to embed font maps, and the Adobe Acrobat redaction functionality’s inability to identify and remove them. The Adobe Acrobat sanitisation functionality also failed to remove these data remnants.
Thanks, Chris
Copy link to clipboard
Copied
Carefully read the attached document. There is no problem with using the redaction feature of Acrobat on PDFs created with Acrobat or MS Word. The problem is when the document is created by Libre Office or Cute PDF. The and e was no issue found when using the Acrobat product and MS Word when the Acrobat plug-in was installed. The issue clearly lies in the rendering engines of Libre Office and Cute PDF. There is no mention of testing of other PDF creation products like OpenOffice.org, Qucik PDF, or Foxit PDF. It is possible that Adobe has it right and the other products are not following or misinterpreting the PDF standard. This research also shows how complex redaction can be. This type of analysis is far beyond most users and requires a deep understanding of the PDF rendering process and how selecting one method over another can result in very different results.
I think it would be best to go back to the source document and redact the information from that document and then create the PDF. One should of crouse make sure there is no change tracking being used in source document.
Copy link to clipboard
Copied
Agreed - there is no problem when the source documents were created in Acrobat or MS Word. The ACSC documents that the issue is when source documents are from LibreOffice or CutePDF. If you further read the document they isolated/pinpointed it specifically to the sanitization of CMap objects. The article lists the specific areas caused and it would be great if Adobe could weigh in on this. It is simple to say use Word or Adobe Acrobat to generate source documents, but for larger organizations handling PDFs generated outside of Word or Adobe Acrobat (think cloud computing, downloading a bank statement as PDF from the web, etc) these are real life situations where the source document is outside of word or Adobe. Proposing to go back to source documents (PDFs that are already flattened) to redact is not an option. Temporary workaround is to check the document properties for the source.