search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Adobe PDF viewers allow non-certified plug-ins to put viewers into Certified Mode

Vulnerability Note VU#689835

Original Release Date: 2003-07-15 | Last Revised: 2003-07-15

Overview

By default, Adobe PDF viewers will start up and load non-certified plug-ins installed in a local plug_ins directory. Adobe Reader plug-ins not certified by Adobe, if allowed to load, can execute arbitrary code in the process space of the running viewer. One incremental impact of such arbitrary code execution is to put the viewer into 'Certified Mode', allowing the circumvention of certain digital right management features such as printing, copying of text, etc.

Description

Adobe Acrobat is software designed to create and manipulate Portable Document Format (PDF) files. The Adobe Reader is a more widely-deployed free PDF viewer. Acrobat plug-ins are separate executable code modules designed to use the Acrobat SDK to work within the Acrobat framework and extend the functionality and features of Adobe's PDF viewers. These are typically dynamic libraries installed in a plug_ins directory (with the extension .api on Windows systems). Installed plug-ins run with the same execution privileges as the user running the Acrobat PDF viewer, but may cause other plug-ins to not be loaded at startup, depending on whether they are digitally signed by Adobe's certification key.

There are three primary cryptographic features in Adobe Acrobat and Adobe Reader products. These are:

    1. Document digital signatures
    2. Document encryption
    3. Plug-in cryptographic verification
    While the first two features do not have any reported weaknesses and are believed to cryptographically strong, the third feature is only as reliable as the security of the underlying operating system. In particular, malicious or altered plug-ins, like any code sharing memory with an application, are able to circumvent certain digital rights management features that prevent printing, copying of text, etc.

    The vulnerability described in VU#549913: Adobe Acrobat PDF viewers contain flaw when loading and verifying plug-ins is still present in Adobe Acrobat 6.0 and Adobe Reader 6.0 when loading of non-certified plug-ins is allowed (the default setting). Since plug-ins can run arbitrary code, users of these products will want to make sure untrusted plug-ins are not installed or loaded. Because Version 6 certified plug-in are now verified using strong cryptography, enabling the 'Use Only Certified Plug-ins' option will ensure that only plug-ins legitimately signed and distributed by Adobe will load (see the checkbox in the 'Application Startup' area under menu item 'Edit->Preferences->Startup').

    Impact

    There are two classes of end-users affected by this report:

    Consumers of Adobe Acrobat and Adobe Reader Products

    Attackers that can convince users to download and install malicious programs (non-certified plug-ins) may be able to execute arbitrary code on the user's system. Executing arbitrary code may allow an attacker to display false information when reporting document information and circumvent digital rights management features that prevent printing, copying of text, etc. This can only happen via non-certified plug-ins installed in a plug_ins directory when the 'Use Only Certified Plug-ins' checkbox is turned off, the default state in Adobe Acrobat 6.0 and Adobe Reader 6.0.

    Digital Content Providers

    Digital content providers can not rely on plug-in cryptographic verification mechanisms to prevent attackers from gaining certain rights. These rights include printing, copying of text, and other digital-rights-management features when the attacker is able to access legitimately decrypted documents and the attacker has control of the local system. Note this can happen regardless of the plug-in architecture used. The ability for any application to protect such rights is dependent on the underlying operating system architecture, not application architecture.

    Solution

    Adobe has provided a statement regarding this issue, available here:
    http://www.kb.cert.org/vuls/id/JSHA-5PAMS7

    Workarounds

    There are two classes of end-user response to this report:

    Consumers of Adobe Acrobat and Adobe Reader Products

    Be careful not to install untrusted software, including non-certified Adobe plug-ins (those not signed and deployed by Adobe), unless absolutely certain of the origin and integrity of such software. Unverified non-certified plug-ins can be removed from the plug-ins directory, and they will no longer load at startup.If you desire additional protection, you may wish to set the certified-plug-ins-only feature. When the 'Use Only Certified Plug-ins' checkbox under 'Edit->Preferences->Startup' (under 'Application Startup') is enabled (not the default), non-certified plug-ins are prevented from loading at startup.Finally, to prevent all plug-ins from loading when an Acrobat viewer starts, press the 'Shift' key while the application is starting.

    Digital Content Providers

    Do not rely on any digital rights management features enforced solely via non-certified plug-ins for critical content. When appropriate, use the stronger document signature and encryption features built into the Adobe Acrobat products.

    Vendor Information

    689835
     
    Expand all

    Adobe Systems Incorporated Affected

    Notified:  July 08, 2003 Updated: July 15, 2003

    Status

    Affected

    Vendor Statement

    [Statement Date: 7/9/2003]

    TITLE: Digital Rights Management (DRM) and the Adobe Acrobat/PDF Security
    Model

    OVERVIEW
    Adobe encourages the security community to report truthful and legitimate
    security vulnerabilities so they can be quickly and appropriately
    addressed for customers. Recently, an organization publicly disclosed a
    theoretical vulnerability within the Adobe Acrobat/PDF product.
    Unfortunately, the information was inaccurate and misleading.

    DESCRIPTION
    Adobe PDF includes several mechanisms to protect electronic documents.
    This includes encryption, digital signatures, and digital rights
    management.

    * Encryption can be used with passwords or public key infrastructure
    (PKI) to restrict access to confidential electronic content. Using strong
    passwords with 128bit RC4 symmetric encryption or PKI certificates, Adobe
    PDF provides added assurances that protected documents can only be opened
    by the intended recipients.

    * Digital signatures can be used with PKI to provide authenticity and
    integrity checking capabilities to sensitive electronic content. Using up
    to 2048 bit RSA keys, Adobe PDF provides added assurances that protected
    content originated from the named author and that the content has not been
    altered since authoring.

    * Digital rights management can be used to control the distribution and
    usage of copyrighted material. This may include restrictions for print,
    copy, read aloud and expiration of content.

    Adobe provides a plug-in architecture for developers to further enhance
    these protection capabilities within Adobe Acrobat and Adobe Reader. The
    Software Development Kit (SDK) can be found at
    http://partners.adobe.com/asn/acrobat/index.jsp

    There are four types of plug-ins available for Adobe PDF products:

    1.Adobe Acrobat plug-in
    2.Adobe Reader plug-in
    3.Adobe Acrobat Certified plug-in
    4.Adobe Reader Certified plug-in

    Developers can freely write plug-ins for Adobe Acrobat. Adobe Reader
    plug-ins require a license agreement and an enabling key from Adobe as
    part of the Adobe Reader Integration Key License Agreement (IKLA). The
    purpose of the Reader enabling plug-in architecture and IKLA is for
    licensing only and does not imply suitability or endorsement by Adobe of
    third party plug-ins. The Certified Mode of both Adobe Acrobat and Adobe
    Reader is used to provide added assurances that only plug-ins provided by
    Adobe are compatible. All third party plug-ins are restricted to
    non-certified mode.

    As reported in the CERT/CC Vulnerability Note 549913,
    http://www.kb.cert.org/vuls/id/549913
    Adobe Acrobat and Adobe Reader versions 4.X and 5.X utilized the same
    mechanism to restrict Reader and Certified plug-ins, which could be
    bypassed in certain circumstances. As noted, Adobe Acrobat and Adobe
    Reader version 6.X have been updated to provide a new Certified Mode
    verification scheme. When specifically enabled within the product, only
    Certified plug-ins - those supplied by Adobe - will load on a users
    system. For backward compatibility, Reader plug-in verification mechanisms
    have not been changed in version 6.X.

    IMPACT
    Adobe/PDF products rely on a third party operating system and these
    operating systems do not currently restrict loading of multiple
    applications in shared computer memory. Therefore, Adobe does not make any
    warranties about plug-ins to Adobe applications or other applications on
    an operating system that may affect Digital Rights Management capabilities
    within Adobe PDF products. Electronic content that can be viewed or heard
    could be potentially copied through digital and/or analog means.
    Technology alone is not a complete barrier to prevent the stealing of
    copyrighted material.

    An organization has publicly posted theoretical information that could be
    used to help circumvent Digital Rights Management capabilities in Adobe
    Acrobat/PDF using the plug-in architecture. A product created using this
    information could encourage illegal activity and potential violations of
    the End User License Agreement for Adobe Acrobat and Adobe Reader
    products.

    This information also includes inaccurate statements related to other
    elements of Adobe Acrobat/PDF security and contains no credible
    information concerning weaknesses in document encryption or digital
    signature capabilities of Adobe Acrobat/PDF related security
    infrastructure. Users of Adobe applications are not at risk from the
    information contained in these erroneous reports.

    SOLUTION
    Since this is a theoretical vulnerability and does not pose a risk to
    Acrobat customers, Adobe will not be issuing an update to Adobe Acrobat or
    Adobe Reader to modify plug-in loading mechanisms.

    Authors who determine their copyrighted material has been illegally
    duplicated, in any format, are encouraged to pursue appropriate legal
    action.

    Legitimate security vulnerabilities can be reported to Adobe at
    http://www.adobe.com/misc/securityform.html


    *** END PGP VERIFIED MESSAGE ***
    *** PGP Signature Status: good
    *** Signed: 7/9/2003 10:22:46 PM

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Please see the Solution section of Vulnerability Note VU#689835 for potential workarounds to this issue.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base
    Temporal
    Environmental

    References

    [<a href="http://www.securityfocus.com/archive/1/328224">Public disclosure by Vladimir Katalov of ElcomSoft Co. Ltd.</a>]

    Acknowledgements

    Thanks to Vladimir Katalov of ElcomSoft Co. Ltd. for reporting this vulnerability to the CERT/CC. Thanks to Adobe Systems Incorporated for working with CERT/CC to help inform the Internet community about these issues.

    This document was written by Cory F. Cohen and Jeffrey S. Havrilla.

    Other Information

    CVE IDs: CVE-2003-0142
    Severity Metric: 1.06
    Date Public: 2003-07-08
    Date First Published: 2003-07-15
    Date Last Updated: 2003-07-15 23:36 UTC
    Document Revision: 54

    Sponsored by CISA.

    Download PGP Key

    Read CERT/CC Blog

    Learn about Vulnerability Analysis