search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Adobe Acrobat PDF viewers contain flaw when loading and verifying plug-ins

Vulnerability Note VU#549913

Original Release Date: 2003-03-19 | Last Revised: 2003-07-15

Overview

Acrobat plug-ins can be digitally signed to determine whether they should be loaded by Adobe Acrobat Reader at startup. This digital signature mechanism is not cryptographically strong and allows other potentially-malicious plug-in code to pretend to be certified by Adobe and be executed by Acrobat Reader even when in 'Certified Plug-ins Only' mode.

Description

Adobe Acrobat is software designed to create and manipulate Portable Document Format (PDF) files. The Adobe Acrobat Reader is a more widely-deployed free PDF viewer. Acrobat plug-ins are separate executable code modules designed to use the Acrobat SDK to work within the Acrobat framework and extend the functionality and features of Adobe's PDF viewers. These are typically dynamic libraries installed in a plug_ins directory (with the extension .api on Windows systems). Installed plug-ins run with the same execution privileges as the user running the Acrobat PDF viewer, but may cause other plug-ins to not be loaded at startup, depending on whether they are digitally signed to be "Acrobat Reader enabled."

Plug-ins can be digitally signed to provide some level of authenticity when being loaded into the Acrobat viewer environment (i.e., "Acrobat Reader enabled"). This is particularly useful in the Adobe Acrobat Reader software, as plug-ins not signed with an integration key (provided to legally licensed third-party developers only) should not be loaded when a preference is set to allow only Adobe certified plug-ins at startup. This preference is set in the viewer configuration (Acrobat Reader 5.1 for Windows, for example, has a 'Certified Plug-ins Only' checkbox under menu Edit->Preferences...->Optionsand stores its value in a registry key). The default setting for the "certified plug-ins only" preference varies according to installation path, version and platform of the Acrobat viewer. This digital certification has nothing to do with digital signatures applied to PDF documents. As noted in Adobe Acrobat Reader 5.1 Help (page 53):

Certified Plug-ins Only
Loads only Adobe-certified third-party plug-ins. If you use non-certified plug-ins for Acrobat Reader, make sure that you select this option to use the Web Buy feature or to open documents with additional usage rights.

The digital signature mechanism used by Adobe Acrobat and Adobe Acrobat Reader to determine if a plug-in is certified ("Reader enabled") only checks the Portable Executable (PE) header of the plug-in file (dynamic library). This cryptographic weakness can be used to make unsigned plug-ins appear to be certified by Adobe and loaded by Adobe Acrobat Reader regardless of the 'Certified Plug-ins Only' setting.

Impact

An intruder can exploit this vulnerability to make an unsigned plug-in appear to be certified by Adobe for use in Acrobat Reader:

    • Any user induced to install a malicious plug-in with a forged digital signature into an Acrobat viewer plug_ins directory will have no way to differentiate it from other legitimately certified plug-ins (for example, by using Help->About Adobe Acrobat Plug-ins...in Acrobat Reader 5.1 for Windows).
    • Any Acrobat plug-in designed to only load in certified mode in Adobe Acrobat Reader may execute in an untrustworthy computer environment, leading to other malicious behavior.
    • Any PDF document created to only be loaded in Acrobat Reader certified mode may open in an untrustworthy user environment, leading to other malicious behavior.

Solution

Adobe has provided a statement regarding this issue, available here:http://www.kb.cert.org/vuls/id/JSHA-5EZQGZ

One potential workaround is to disallow all plug-ins from loading when an Acrobat viewer starts. To disable plug-in loading, press the 'Shift' key at start up.

Vendor Information

549913
 

Adobe Systems Incorporated Affected

Notified:  October 08, 2002 Updated: July 14, 2003

Status

Affected

Vendor Statement

[Statement Date: 03/20/2003]

Adobe Systems Inc. has confirmed that the plug-in loading and verification mechanism of Adobe Acrobat products can be circumvented under certain circumstances to allow execution of plug-ins not authorized and licensed by Adobe.

This vulnerability does not affect the integrity of digital signatures used within a PDF document or affect any other aspects of a document's confidentiality, integrity and authenticity.

Plug-ins must be manually installed by a user and cannot be automatically installed when opening a PDF document.

OVERVIEW:

Third party developers can write plug-ins based on the Acrobat SDK to extend functionality included within the products.  There are two classes of plug-ins:

    Adobe Acrobat plug-ins
    Adobe Acrobat Reader plug-ins

Developers can write Adobe Acrobat plug-ins without licenses or enabling keys from Adobe.  Adobe Acrobat Reader plug-ins require a license agreement and enabling key from Adobe as part of the Acrobat Reader Integration Key License Agreement found at:

For both of these classes of plug-ins, there are two runtime modes for which they are enabled to load and execute:
    Non-certified mode
    Certified mode

Currently all third party plug-ins are restricted to non-certified mode. Only plug-ins shipping from Adobe can run in certified mode, as they require an additional enabling key.  While not enabled by default, the certified mode of Adobe Acrobat and Adobe Acrobat Reader is designed to restrict the simultaneous loading of plug-ins to a very limited set specifically approved by Adobe to enforce license agreements and application functionality.  
 
The reported vulnerability allows a developer to write a plug-in that loads in certified mode or in Adobe Acrobat Reader without a valid enabling key and license from Adobe.

This vulnerability affects the following product releases:
 
    Adobe Acrobat 4.x
    Adobe Acrobat 5.x
    Adobe Acrobat Reader 4.x
    Adobe Acrobat Reader 5.x

MITIGATING FACTORS:
 
While digital signature technology is used to validate a plug-in, this vulnerability does not affect any digital signatures used within a PDF document as they are separate cryptographic processes within Acrobat.

Plug-ins do not install themselves automatically and user's must perform specific steps to allow a plug-in to load when launching Adobe Acrobat and Adobe Acrobat Reader.  This vulnerability will not adversely affect an Acrobat user's system unless they download and install malicious third party software.  Adobe recommends that user's only install software, including application plug-ins, from known sources they trust.

If a user or administrator wishes to restrict their systems from loading any additional software, including plug-ins, they are encouraged to use the lock down settings provided by the operating system to restrict software installation.
 
The security mechanism for loading certified plug-ins will be updated in an upcoming release of Adobe Acrobat and Adobe Acrobat Reader available in the second quarter of 2003.
 
Exploits of this vulnerability violate the End User License Agreement included with Adobe Acrobat and Adobe Acrobat Reader.

Adobe encourages the security community to report vulnerabilities so they can be quickly and appropriately addressed for our customers.  Reports should be submitted via:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

A related Statement from Adobe is available in Vulnerability Note VU#689835


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was first disclosed publicly by Dmitry Sklyarov of ElcomSoft Co. Ltd. in July, 2001 ("Security flaw in Acrobat plug-ins certification"). It was subsequently reported to the CERT Coordination center in September, 2002, by Vladimir Katalov, also of ElcomSoft Co. Ltd.

This document was written by Jeffrey S Havrilla and Cory F. Cohen.

Other Information

CVE IDs: CVE-2002-0030
Severity Metric: 0.84
Date Public: 2001-07-16
Date First Published: 2003-03-19
Date Last Updated: 2003-07-15 20:55 UTC
Document Revision: 108

Sponsored by CISA.