Researchers from Ruhr University Bochum and Münster University revealed PDFex, two vulnerabilities of PDF files that undermine the encryption used to secure their contents. One vulnerability lets attackers manipulate parts of the file to enable direct exfiltration attacks, and the other can be used to "modify existing plaintext" and "construct entirely new encrypted objects."
This isn't an isolated problem. The researchers explained that many companies rely on PDF encryption. Some, like Canon and Samsung, use PDF encryption in their scanners. IBM offers "PDF encryption services for PDF documents and other data (e.g., confidential images) by wrapping them into PDF," they said, and PDF encryption can also be used to keep medical records secure during transfer.
The PDFex vulnerabilities are also hard to avoid because they're problems with the PDF format itself. The researchers said their "evaluation shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox." They shared more information about this evaluation on a dedicated website.