Vulnerability Note VU#549913

Adobe Acrobat PDF viewers contain flaw when loading and verifying plug-ins

Original Release date: 19 Mar 2003 | Last revised: 15 Jul 2003

Overview

Acrobat plug-ins can be digitally signed to determine whether they should be loaded by Adobe Acrobat Reader at startup. This digital signature mechanism is not cryptographically strong and allows other potentially-malicious plug-in code to pretend to be certified by Adobe and be executed by Acrobat Reader even when in 'Certified Plug-ins Only' mode.

Description

Adobe Acrobat is software designed to create and manipulate Portable Document Format (PDF) files. The Adobe Acrobat Reader is a more widely-deployed free PDF viewer. Acrobat plug-ins are separate executable code modules designed to use the Acrobat SDK to work within the Acrobat framework and extend the functionality and features of Adobe's PDF viewers. These are typically dynamic libraries installed in a plug_ins directory (with the extension .api on Windows systems). Installed plug-ins run with the same execution privileges as the user running the Acrobat PDF viewer, but may cause other plug-ins to not be loaded at startup, depending on whether they are digitally signed to be "Acrobat Reader enabled."

Plug-ins can be digitally signed to provide some level of authenticity when being loaded into the Acrobat viewer environment (i.e., "Acrobat Reader enabled"). This is particularly useful in the Adobe Acrobat Reader software, as plug-ins not signed with an integration key (provided to legally licensed third-party developers only) should not be loaded when a preference is set to allow only Adobe certified plug-ins at startup. This preference is set in the viewer configuration (Acrobat Reader 5.1 for Windows, for example, has a 'Certified Plug-ins Only' checkbox under menu Edit->Preferences...->Optionsand stores its value in a registry key). The default setting for the "certified plug-ins only" preference varies according to installation path, version and platform of the Acrobat viewer. This digital certification has nothing to do with digital signatures applied to PDF documents. As noted in Adobe Acrobat Reader 5.1 Help (page 53):

    Certified Plug-ins Only
    Loads only Adobe-certified third-party plug-ins. If you use non-certified plug-ins for Acrobat Reader, make sure that you select this option to use the Web Buy feature or to open documents with additional usage rights.

The digital signature mechanism used by Adobe Acrobat and Adobe Acrobat Reader to determine if a plug-in is certified ("Reader enabled") only checks the Portable Executable (PE) header of the plug-in file (dynamic library). This cryptographic weakness can be used to make unsigned plug-ins appear to be certified by Adobe and loaded by Adobe Acrobat Reader regardless of the 'Certified Plug-ins Only' setting.

Impact

An intruder can exploit this vulnerability to make an unsigned plug-in appear to be certified by Adobe for use in Acrobat Reader:

  • Any user induced to install a malicious plug-in with a forged digital signature into an Acrobat viewer plug_ins directory will have no way to differentiate it from other legitimately certified plug-ins (for example, by using Help->About Adobe Acrobat Plug-ins...in Acrobat Reader 5.1 for Windows).
  • Any Acrobat plug-in designed to only load in certified mode in Adobe Acrobat Reader may execute in an untrustworthy computer environment, leading to other malicious behavior.
  • Any PDF document created to only be loaded in Acrobat Reader certified mode may open in an untrustworthy user environment, leading to other malicious behavior.

Solution

Adobe has provided a statement regarding this issue, available here:
http://www.kb.cert.org/vuls/id/JSHA-5EZQGZ

One potential workaround is to disallow all plug-ins from loading when an Acrobat viewer starts. To disable plug-in loading, press the 'Shift' key at start up.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Adobe Systems IncorporatedAffected08 Oct 200214 Jul 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was first disclosed publicly by Dmitry Sklyarov of ElcomSoft Co. Ltd. in July, 2001 ("Security flaw in Acrobat plug-ins certification"). It was subsequently reported to the CERT Coordination center in September, 2002, by Vladimir Katalov, also of ElcomSoft Co. Ltd.

This document was written by Jeffrey S Havrilla and Cory F. Cohen.

Other Information

  • CVE IDs: CAN-2002-0030
  • Date Public: 16 Jul 2001
  • Date First Published: 19 Mar 2003
  • Date Last Updated: 15 Jul 2003
  • Severity Metric: 0.84
  • Document Revision: 108

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.