Adobe Systems Incorporated Information for VU#689835

TITLE: Digital Rights Management (DRM) and the Adobe Acrobat/PDF Security
Model

OVERVIEW
Adobe encourages the security community to report truthful and legitimate
security vulnerabilities so they can be quickly and appropriately
addressed for customers. Recently, an organization publicly disclosed a
theoretical vulnerability within the Adobe Acrobat/PDF product.
Unfortunately, the information was inaccurate and misleading.

DESCRIPTION
Adobe PDF includes several mechanisms to protect electronic documents.
This includes encryption, digital signatures, and digital rights
management.

* Encryption can be used with passwords or public key infrastructure
(PKI) to restrict access to confidential electronic content. Using strong
passwords with 128bit RC4 symmetric encryption or PKI certificates, Adobe
PDF provides added assurances that protected documents can only be opened
by the intended recipients.

* Digital signatures can be used with PKI to provide authenticity and
integrity checking capabilities to sensitive electronic content. Using up
to 2048 bit RSA keys, Adobe PDF provides added assurances that protected
content originated from the named author and that the content has not been
altered since authoring.

* Digital rights management can be used to control the distribution and
usage of copyrighted material. This may include restrictions for print,
copy, read aloud and expiration of content.

Adobe provides a plug-in architecture for developers to further enhance
these protection capabilities within Adobe Acrobat and Adobe Reader. The
Software Development Kit (SDK) can be found at
http://partners.adobe.com/asn/acrobat/index.jsp

There are four types of plug-ins available for Adobe PDF products:

1.Adobe Acrobat plug-in
2.Adobe Reader plug-in
3.Adobe Acrobat Certified plug-in
4.Adobe Reader Certified plug-in

Developers can freely write plug-ins for Adobe Acrobat. Adobe Reader
plug-ins require a license agreement and an enabling key from Adobe as
part of the Adobe Reader Integration Key License Agreement (IKLA). The
purpose of the Reader enabling plug-in architecture and IKLA is for
licensing only and does not imply suitability or endorsement by Adobe of
third party plug-ins. The Certified Mode of both Adobe Acrobat and Adobe
Reader is used to provide added assurances that only plug-ins provided by
Adobe are compatible. All third party plug-ins are restricted to
non-certified mode.

As reported in the CERT/CC Vulnerability Note 549913,
http://www.kb.cert.org/vuls/id/549913
Adobe Acrobat and Adobe Reader versions 4.X and 5.X utilized the same
mechanism to restrict Reader and Certified plug-ins, which could be
bypassed in certain circumstances. As noted, Adobe Acrobat and Adobe
Reader version 6.X have been updated to provide a new Certified Mode
verification scheme. When specifically enabled within the product, only
Certified plug-ins - those supplied by Adobe - will load on a users
system. For backward compatibility, Reader plug-in verification mechanisms
have not been changed in version 6.X.

IMPACT
Adobe/PDF products rely on a third party operating system and these
operating systems do not currently restrict loading of multiple
applications in shared computer memory. Therefore, Adobe does not make any
warranties about plug-ins to Adobe applications or other applications on
an operating system that may affect Digital Rights Management capabilities
within Adobe PDF products. Electronic content that can be viewed or heard
could be potentially copied through digital and/or analog means.
Technology alone is not a complete barrier to prevent the stealing of
copyrighted material.

An organization has publicly posted theoretical information that could be
used to help circumvent Digital Rights Management capabilities in Adobe
Acrobat/PDF using the plug-in architecture. A product created using this
information could encourage illegal activity and potential violations of
the End User License Agreement for Adobe Acrobat and Adobe Reader
products.

This information also includes inaccurate statements related to other
elements of Adobe Acrobat/PDF security and contains no credible
information concerning weaknesses in document encryption or digital
signature capabilities of Adobe Acrobat/PDF related security
infrastructure. Users of Adobe applications are not at risk from the
information contained in these erroneous reports.

SOLUTION
Since this is a theoretical vulnerability and does not pose a risk to
Acrobat customers, Adobe will not be issuing an update to Adobe Acrobat or
Adobe Reader to modify plug-in loading mechanisms.

Authors who determine their copyrighted material has been illegally
duplicated, in any format, are encouraged to pursue appropriate legal
action.

Legitimate security vulnerabilities can be reported to Adobe at
http://www.adobe.com/misc/securityform.html


*** END PGP VERIFIED MESSAGE ***
*** PGP Signature Status: good
*** Signed: 7/9/2003 10:22:46 PM

Vendor Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.