By default, Adobe PDF viewers will start up and load non-certified plug-ins installed in a local plug_ins directory. Adobe Reader plug-ins not certified by Adobe, if allowed to load, can execute arbitrary code in the process space of the running viewer. One incremental impact of such arbitrary code execution is to put the viewer into 'Certified Mode', allowing the circumvention of certain digital right management features such as printing, copying of text, etc.
Adobe Acrobat is software designed to create and manipulate Portable Document Format (PDF) files. The Adobe Reader is a more widely-deployed free PDF viewer. Acrobat plug-ins are separate executable code modules designed to use the Acrobat SDK to work within the Acrobat framework and extend the functionality and features of Adobe's PDF viewers. These are typically dynamic libraries installed in a plug_ins directory (with the extension .api on Windows systems). Installed plug-ins run with the same execution privileges as the user running the Acrobat PDF viewer, but may cause other plug-ins to not be loaded at startup, depending on whether they are digitally signed by Adobe's certification key.
There are three primary cryptographic features in Adobe Acrobat and Adobe Reader products. These are:
The vulnerability described in VU#549913: Adobe Acrobat PDF viewers contain flaw when loading and verifying plug-ins is still present in Adobe Acrobat 6.0 and Adobe Reader 6.0 when loading of non-certified plug-ins is allowed (the default setting). Since plug-ins can run arbitrary code, users of these products will want to make sure untrusted plug-ins are not installed or loaded. Because Version 6 certified plug-in are now verified using strong cryptography, enabling the 'Use Only Certified Plug-ins' option will ensure that only plug-ins legitimately signed and distributed by Adobe will load (see the checkbox in the 'Application Startup' area under menu item 'Edit->Preferences->Startup').
There are two classes of end-users affected by this report:
Consumers of Adobe Acrobat and Adobe Reader Products
Attackers that can convince users to download and install malicious programs (non-certified plug-ins) may be able to execute arbitrary code on the user's system. Executing arbitrary code may allow an attacker to display false information when reporting document information and circumvent digital rights management features that prevent printing, copying of text, etc. This can only happen via non-certified plug-ins installed in a plug_ins directory when the 'Use Only Certified Plug-ins' checkbox is turned off, the default state in Adobe Acrobat 6.0 and Adobe Reader 6.0.
Digital Content Providers
Digital content providers can not rely on plug-in cryptographic verification mechanisms to prevent attackers from gaining certain rights. These rights include printing, copying of text, and other digital-rights-management features when the attacker is able to access legitimately decrypted documents and the attacker has control of the local system. Note this can happen regardless of the plug-in architecture used. The ability for any application to protect such rights is dependent on the underlying operating system architecture, not application architecture.
WorkaroundsThere are two classes of end-user response to this report:
Consumers of Adobe Acrobat and Adobe Reader ProductsBe careful not to install untrusted software, including non-certified Adobe plug-ins (those not signed and deployed by Adobe), unless absolutely certain of the origin and integrity of such software. Unverified non-certified plug-ins can be removed from the plug-ins directory, and they will no longer load at startup.If you desire additional protection, you may wish to set the certified-plug-ins-only feature. When the 'Use Only Certified Plug-ins' checkbox under 'Edit->Preferences->Startup' (under 'Application Startup') is enabled (not the default), non-certified plug-ins are prevented from loading at startup.Finally, to prevent all plug-ins from loading when an Acrobat viewer starts, press the 'Shift' key while the application is starting.
Digital Content ProvidersDo not rely on any digital rights management features enforced solely via non-certified plug-ins for critical content. When appropriate, use the stronger document signature and encryption features built into the Adobe Acrobat products.
Thanks to Vladimir Katalov of ElcomSoft Co. Ltd. for reporting this vulnerability to the CERT/CC. Thanks to Adobe Systems Incorporated for working with CERT/CC to help inform the Internet community about these issues.
This document was written by Cory F. Cohen and Jeffrey S. Havrilla.
|Date First Published:||2003-07-15|
|Date Last Updated:||2003-07-15 23:36 UTC|