Adobe Systems Incorporated Affected

Notified:  July 08, 2003 Updated: July 15, 2003

Status

Affected

Vendor Statement

[Statement Date: 7/9/2003] TITLE: Digital Rights Management (DRM) and the Adobe Acrobat/PDF Security Model OVERVIEW Adobe encourages the security community to report truthful and legitimate security vulnerabilities so they can be quickly and appropriately addressed for customers. Recently, an organization publicly disclosed a theoretical vulnerability within the Adobe Acrobat/PDF product. Unfortunately, the information was inaccurate and misleading. DESCRIPTION Adobe PDF includes several mechanisms to protect electronic documents. This includes encryption, digital signatures, and digital rights management. * Encryption can be used with passwords or public key infrastructure (PKI) to restrict access to confidential electronic content. Using strong passwords with 128bit RC4 symmetric encryption or PKI certificates, Adobe PDF provides added assurances that protected documents can only be opened by the intended recipients. * Digital signatures can be used with PKI to provide authenticity and integrity checking capabilities to sensitive electronic content. Using up to 2048 bit RSA keys, Adobe PDF provides added assurances that protected content originated from the named author and that the content has not been altered since authoring. * Digital rights management can be used to control the distribution and usage of copyrighted material. This may include restrictions for print, copy, read aloud and expiration of content. Adobe provides a plug-in architecture for developers to further enhance these protection capabilities within Adobe Acrobat and Adobe Reader. The Software Development Kit (SDK) can be found at http://partners.adobe.com/asn/acrobat/index.jsp There are four types of plug-ins available for Adobe PDF products: 1.Adobe Acrobat plug-in 2.Adobe Reader plug-in 3.Adobe Acrobat Certified plug-in 4.Adobe Reader Certified plug-in Developers can freely write plug-ins for Adobe Acrobat. Adobe Reader plug-ins require a license agreement and an enabling key from Adobe as part of the Adobe Reader Integration Key License Agreement (IKLA). The purpose of the Reader enabling plug-in architecture and IKLA is for licensing only and does not imply suitability or endorsement by Adobe of third party plug-ins. The Certified Mode of both Adobe Acrobat and Adobe Reader is used to provide added assurances that only plug-ins provided by Adobe are compatible. All third party plug-ins are restricted to non-certified mode. As reported in the CERT/CC Vulnerability Note 549913, http://www.kb.cert.org/vuls/id/549913 Adobe Acrobat and Adobe Reader versions 4.X and 5.X utilized the same mechanism to restrict Reader and Certified plug-ins, which could be bypassed in certain circumstances. As noted, Adobe Acrobat and Adobe Reader version 6.X have been updated to provide a new Certified Mode verification scheme. When specifically enabled within the product, only Certified plug-ins - those supplied by Adobe - will load on a users system. For backward compatibility, Reader plug-in verification mechanisms have not been changed in version 6.X. IMPACT Adobe/PDF products rely on a third party operating system and these operating systems do not currently restrict loading of multiple applications in shared computer memory. Therefore, Adobe does not make any warranties about plug-ins to Adobe applications or other applications on an operating system that may affect Digital Rights Management capabilities within Adobe PDF products. Electronic content that can be viewed or heard could be potentially copied through digital and/or analog means. Technology alone is not a complete barrier to prevent the stealing of copyrighted material. An organization has publicly posted theoretical information that could be used to help circumvent Digital Rights Management capabilities in Adobe Acrobat/PDF using the plug-in architecture. A product created using this information could encourage illegal activity and potential violations of the End User License Agreement for Adobe Acrobat and Adobe Reader products. This information also includes inaccurate statements related to other elements of Adobe Acrobat/PDF security and contains no credible information concerning weaknesses in document encryption or digital signature capabilities of Adobe Acrobat/PDF related security infrastructure. Users of Adobe applications are not at risk from the information contained in these erroneous reports. SOLUTION Since this is a theoretical vulnerability and does not pose a risk to Acrobat customers, Adobe will not be issuing an update to Adobe Acrobat or Adobe Reader to modify plug-in loading mechanisms. Authors who determine their copyrighted material has been illegally duplicated, in any format, are encouraged to pursue appropriate legal action. Legitimate security vulnerabilities can be reported to Adobe at http://www.adobe.com/misc/securityform.html *** END PGP VERIFIED MESSAGE *** *** PGP Signature Status: good *** Signed: 7/9/2003 10:22:46 PM

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see the Solution section of Vulnerability Note VU#689835 for potential workarounds to this issue.