We developed three classes of attacks on PDF Signatures. Each attack class abuses a missing signature verification step.
We evaluated our attacks against two types of applications. The typically known desktop applications everyone uses on a daily bases and online validation services. The last one is often used in the business world to validate the signature of a PDF document returning a validation report as a result.
During our research, we identified 21 out 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of our attacks.
You can find the detailed results of our evaluation on the following web pages:
Due to the reason that most analyzed software ist closed source we can only guess, but in our opinion there are 2 main reasons for the successfull attacks:
The association responsible for the standardization of the Portable Document Format issued a statement regarding our findings.