The website www.pdf-insecurity.org describes a number of attacks on PDF digital signatures, and provided a number of testcases to demonstrate these. Our API failed to notice modifications to a digital signature in one category of failure. However for this attack to be practical the original signature has be be created in a very unusual way, so we feel this attack is largely theoretical.
It only applies to signature verification with our API, not signature creation.
There are quite a few other improvements. We’ve finally added support for the combination of “Compressed XRef” and “Linearized”, or “Web Ready” PDFs. The only browser that continues to support this with Acrobat Reader is Internet Explorer, so this isn’t as useful as it was, but for those creating large PDFs for corporate networks where the client setup is known in advance, it may be useful.
We've also done some work on digital signatures. Perhaps most interesting is the new GlobalSignDSS class, to create signatures that work with GlobalSign's new digital signing service (there will be a blog post on this to follow, watch this space), but we've also added a general mechanism to manage the signing process externally, should you wish to create your own signing service. A few fixes relating to the addition of long-term validation information to existing signatures rounds, plus the usual number of small fixes for particular documents rounds out this release.
Support has also improved for those working with very large OpenType fonts, such as the Chinese/Japanese/Korean. Our support for OpenType collections has improved, and we’ve managed to reduce the memory footprint quite significantly for some variations.
These are just some of the highlights, for more information please see the changelog.
You can download the latest version from our website.