Hello, welcome to the Thursday, July 23, 2020 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida. A little bit of a wrap-up about the F-5 vulnerability. That was CVE 2020-902 from Rick today. Now, Rick spots still some exploitation

against this vulnerability and noticed one binary in particular being downloaded from

an IP address that he's sharing in this diary. In addition, we also got some user comments.

And yes, it's something I observed too where attackers are adding users to the system.

So double check your Etsy password and also your Cron tab.

That's typically what we have seen in the last few days, how attackers are taking advantage

of this vulnerability.

And then we got a new set actually of vulnerabilities, including proof of concept code that

does show how signed PDF documents may be modified without it actually being visible

in common viewers. So the idea of a signed document is that you add a digital signature,

encrypted hash, and that it does protect the entire document. Now, in many variations of this,

only a certain part of the document is protected,

and it has been tricky to then properly communicate

which part of the document is actually protected

and which one isn't.

And that apparently is sort of a little bit the root cause here of some of these vulnerabilities.

Now, the first vulnerability, they're talking the universal signature forgery.

That's a little bit simpler.

All you do is you essentially modify the signature so it is corrupt.

This will sometimes, and that depends on the viewer, prevent validation of the signature so it is corrupt. This will sometimes, and that depends on the viewer,

prevent validation of the signature, but the signature will still be displayed. The scenario I initially

...