Which Acrobat Version is immune against signature spoofing?

Report · Feb 26, 2019

Hi all,

some of you might have seen this: https://www.pdf-insecurity.org/ // https://www.pdf-insecurity.org/signature/viewer.html .

My organisation currently uses Acrobat Pro DC 2015.006.30243 and Adobe Reader 11.0.10.

What is a recommended "old", and secure version?

Please keep in mind, that large scale orgs can't just download the latest software, as I would do on my personal machine.

Ideally, a bug-fix update of Acrobat Pro DC 2015.x and Adobe Reader 11.x would be very helpful.

Thanks in advance

Matt

Report · Feb 26, 2019

The table shows that Acrobat ahd Reader are only "vulnerable" to the USF (Signature forgery) exploit. But that is equivalent to removing the current signature, changing the file, and signing with a bogus signature, that is not trusted. Clearly the user error here is trusting the bogus certificate. Acrobat and Reader (starting with Acrobat 9, I think) are very careful to recreate a field appearance to match the field value, so one of the possible expolits (field value of 10,000,000 not matching an appearance of "100") won't work with Adobe's products.

View solution in original post

Report · Feb 26, 2019

Reader 11 is passed its end-of-life date and will not be supported any longer.

All versions of Acrobat DC are regularly updated. The last vulnerable version mentioned on that site is from October 2018. There have been multiple updates since then (5, as far as I can tell), which might have solved this issue.

If you want to get security updates you need to have the latest version.

Report · Feb 26, 2019

The table shows that Acrobat ahd Reader are only "vulnerable" to the USF (Signature forgery) exploit. But that is equivalent to removing the current signature, changing the file, and signing with a bogus signature, that is not trusted. Clearly the user error here is trusting the bogus certificate. Acrobat and Reader (starting with Acrobat 9, I think) are very careful to recreate a field appearance to match the field value, so one of the possible expolits (field value of 10,000,000 not matching an appearance of "100") won't work with Adobe's products.

Report · Feb 26, 2019

If orgs will not consider downloading the latest software then they are leaving themselves open to attack. This is a very questionable policy. But you are running Reader XI and concerned about security? It is End Of Life and has known unfixed security issues.