Notified:  October 08, 2002 Updated: July 14, 2003

Status

Affected

Vendor Statement

[Statement Date: 03/20/2003] Adobe Systems Inc. has confirmed that the plug-in loading and verification mechanism of Adobe Acrobat products can be circumvented under certain circumstances to allow execution of plug-ins not authorized and licensed by Adobe. This vulnerability does not affect the integrity of digital signatures used within a PDF document or affect any other aspects of a document's confidentiality, integrity and authenticity. Plug-ins must be manually installed by a user and cannot be automatically installed when opening a PDF document. OVERVIEW: Third party developers can write plug-ins based on the Acrobat SDK to extend functionality included within the products. There are two classes of plug-ins: Adobe Acrobat plug-ins Adobe Acrobat Reader plug-ins Developers can write Adobe Acrobat plug-ins without licenses or enabling keys from Adobe. Adobe Acrobat Reader plug-ins require a license agreement and enabling key from Adobe as part of the Acrobat Reader Integration Key License Agreement found at: http://partners.adobe.com/asn/acrobat/index.jsp For both of these classes of plug-ins, there are two runtime modes for which they are enabled to load and execute: Non-certified mode Certified mode Currently all third party plug-ins are restricted to non-certified mode. Only plug-ins shipping from Adobe can run in certified mode, as they require an additional enabling key. While not enabled by default, the certified mode of Adobe Acrobat and Adobe Acrobat Reader is designed to restrict the simultaneous loading of plug-ins to a very limited set specifically approved by Adobe to enforce license agreements and application functionality. The reported vulnerability allows a developer to write a plug-in that loads in certified mode or in Adobe Acrobat Reader without a valid enabling key and license from Adobe. This vulnerability affects the following product releases: Adobe Acrobat 4.x Adobe Acrobat 5.x Adobe Acrobat Reader 4.x Adobe Acrobat Reader 5.x MITIGATING FACTORS: While digital signature technology is used to validate a plug-in, this vulnerability does not affect any digital signatures used within a PDF document as they are separate cryptographic processes within Acrobat. Plug-ins do not install themselves automatically and user's must perform specific steps to allow a plug-in to load when launching Adobe Acrobat and Adobe Acrobat Reader. This vulnerability will not adversely affect an Acrobat user's system unless they download and install malicious third party software. Adobe recommends that user's only install software, including application plug-ins, from known sources they trust. If a user or administrator wishes to restrict their systems from loading any additional software, including plug-ins, they are encouraged to use the lock down settings provided by the operating system to restrict software installation. The security mechanism for loading certified plug-ins will be updated in an upcoming release of Adobe Acrobat and Adobe Acrobat Reader available in the second quarter of 2003. Exploits of this vulnerability violate the End User License Agreement included with Adobe Acrobat and Adobe Acrobat Reader. Adobe encourages the security community to report vulnerabilities so they can be quickly and appropriately addressed for our customers. Reports should be submitted via: http://www.adobe.com/misc/securityform.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

A related Statement from Adobe is available in Vulnerability Note VU#689835 While this issue has been addressed in Adobe Acrobat 6 and Adobe Acrobat Reader 6 for plug-ins certified by Adobe, plug-ins signed with the Reader integration key may still be spoofed and loaded at startup. Please see the Solution section of Vulnerability Note VU#689835 for potential workarounds to this issue.