Vulnerability Note VU#549913
Adobe Acrobat PDF viewers contain flaw when loading and verifying plug-ins
Acrobat plug-ins can be digitally signed to determine whether they should be loaded by Adobe Acrobat Reader at startup. This digital signature mechanism is not cryptographically strong and allows other potentially-malicious plug-in code to pretend to be certified by Adobe and be executed by Acrobat Reader even when in 'Certified Plug-ins Only' mode.
Adobe Acrobat is software designed to create and manipulate Portable Document Format (PDF) files. The Adobe Acrobat Reader is a more widely-deployed free PDF viewer. Acrobat plug-ins are separate executable code modules designed to use the Acrobat SDK to work within the Acrobat framework and extend the functionality and features of Adobe's PDF viewers. These are typically dynamic libraries installed in a plug_ins directory (with the extension .api on Windows systems). Installed plug-ins run with the same execution privileges as the user running the Acrobat PDF viewer, but may cause other plug-ins to not be loaded at startup, depending on whether they are digitally signed to be "Acrobat Reader enabled."
Plug-ins can be digitally signed to provide some level of authenticity when being loaded into the Acrobat viewer environment (i.e., "Acrobat Reader enabled"). This is particularly useful in the Adobe Acrobat Reader software, as plug-ins not signed with an integration key (provided to legally licensed third-party developers only) should not be loaded when a preference is set to allow only Adobe certified plug-ins at startup. This preference is set in the viewer configuration (Acrobat Reader 5.1 for Windows, for example, has a 'Certified Plug-ins Only' checkbox under menu Edit->Preferences...->Optionsand stores its value in a registry key). The default setting for the "certified plug-ins only" preference varies according to installation path, version and platform of the Acrobat viewer. This digital certification has nothing to do with digital signatures applied to PDF documents. As noted in Adobe Acrobat Reader 5.1 Help (page 53):
Loads only Adobe-certified third-party plug-ins. If you use non-certified plug-ins for Acrobat Reader, make sure that you select this option to use the Web Buy feature or to open documents with additional usage rights.
The digital signature mechanism used by Adobe Acrobat and Adobe Acrobat Reader to determine if a plug-in is certified ("Reader enabled") only checks the Portable Executable (PE) header of the plug-in file (dynamic library). This cryptographic weakness can be used to make unsigned plug-ins appear to be certified by Adobe and loaded by Adobe Acrobat Reader regardless of the 'Certified Plug-ins Only' setting.
An intruder can exploit this vulnerability to make an unsigned plug-in appear to be certified by Adobe for use in Acrobat Reader:
One potential workaround is to disallow all plug-ins from loading when an Acrobat viewer starts. To disable plug-in loading, press the 'Shift' key at start up.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Adobe Systems Incorporated||Affected||08 Oct 2002||14 Jul 2003|
CVSS Metrics (Learn More)
This vulnerability was first disclosed publicly by Dmitry Sklyarov of ElcomSoft Co. Ltd. in July, 2001 ("Security flaw in Acrobat plug-ins certification"). It was subsequently reported to the CERT Coordination center in September, 2002, by Vladimir Katalov, also of ElcomSoft Co. Ltd.
This document was written by Jeffrey S Havrilla and Cory F. Cohen.
- CVE IDs: CAN-2002-0030
- Date Public: 16 Jul 2001
- Date First Published: 19 Mar 2003
- Date Last Updated: 15 Jul 2003
- Severity Metric: 0.84
- Document Revision: 108
If you have feedback, comments, or additional information about this vulnerability, please send us email.