Acrobat plug-ins can be digitally signed to determine whether they should be loaded by Adobe Acrobat Reader at startup. This digital signature mechanism is not cryptographically strong and allows other potentially-malicious plug-in code to pretend to be certified by Adobe and be executed by Acrobat Reader even when in 'Certified Plug-ins Only' mode.
Adobe Acrobat is software designed to create and manipulate Portable Document Format (PDF) files. The Adobe Acrobat Reader is a more widely-deployed free PDF viewer. Acrobat plug-ins are separate executable code modules designed to use the Acrobat SDK to work within the Acrobat framework and extend the functionality and features of Adobe's PDF viewers. These are typically dynamic libraries installed in a plug_ins directory (with the extension .api on Windows systems). Installed plug-ins run with the same execution privileges as the user running the Acrobat PDF viewer, but may cause other plug-ins to not be loaded at startup, depending on whether they are digitally signed to be "Acrobat Reader enabled."
Plug-ins can be digitally signed to provide some level of authenticity when being loaded into the Acrobat viewer environment (i.e., "Acrobat Reader enabled"). This is particularly useful in the Adobe Acrobat Reader software, as plug-ins not signed with an integration key (provided to legally licensed third-party developers only) should not be loaded when a preference is set to allow only Adobe certified plug-ins at startup. This preference is set in the viewer configuration (Acrobat Reader 5.1 for Windows, for example, has a 'Certified Plug-ins Only' checkbox under menu Edit->Preferences...->Optionsand stores its value in a registry key). The default setting for the "certified plug-ins only" preference varies according to installation path, version and platform of the Acrobat viewer. This digital certification has nothing to do with digital signatures applied to PDF documents. As noted in Adobe Acrobat Reader 5.1 Help (page 53):
An intruder can exploit this vulnerability to make an unsigned plug-in appear to be certified by Adobe for use in Acrobat Reader:
One potential workaround is to disallow all plug-ins from loading when an Acrobat viewer starts. To disable plug-in loading, press the 'Shift' key at start up.
This vulnerability was first disclosed publicly by Dmitry Sklyarov of ElcomSoft Co. Ltd. in July, 2001 ("Security flaw in Acrobat plug-ins certification"). It was subsequently reported to the CERT Coordination center in September, 2002, by Vladimir Katalov, also of ElcomSoft Co. Ltd.
This document was written by Jeffrey S Havrilla and Cory F. Cohen.
|Date First Published:||2003-03-19|
|Date Last Updated:||2003-07-15 20:55 UTC|