Software Engineering Institute

Adobe Acrobat is software designed to create and manipulate Portable Document Format (PDF) files. The Adobe Acrobat Reader is a more widely-deployed free PDF viewer. Acrobat plug-ins are separate executable code modules designed to use the Acrobat SDK to work within the Acrobat framework and extend the functionality and features of Adobe's PDF viewers. These are typically dynamic libraries installed in a plug_ins directory (with the extension .api on Windows systems). Installed plug-ins run with the same execution privileges as the user running the Acrobat PDF viewer, but may cause other plug-ins to not be loaded at startup, depending on whether they are digitally signed to be "Acrobat Reader enabled."

Plug-ins can be digitally signed to provide some level of authenticity when being loaded into the Acrobat viewer environment (i.e., "Acrobat Reader enabled"). This is particularly useful in the Adobe Acrobat Reader software, as plug-ins not signed with an integration key (provided to legally licensed third-party developers only) should not be loaded when a preference is set to allow only Adobe certified plug-ins at startup. This preference is set in the viewer configuration (Acrobat Reader 5.1 for Windows, for example, has a 'Certified Plug-ins Only' checkbox under menu Edit->Preferences...->Optionsand stores its value in a registry key). The default setting for the "certified plug-ins only" preference varies according to installation path, version and platform of the Acrobat viewer. This digital certification has nothing to do with digital signatures applied to PDF documents. As noted in Adobe Acrobat Reader 5.1 Help (page 53):

Certified Plug-ins Only
Loads only Adobe-certified third-party plug-ins. If you use non-certified plug-ins for Acrobat Reader, make sure that you select this option to use the Web Buy feature or to open documents with additional usage rights.

The digital signature mechanism used by Adobe Acrobat and Adobe Acrobat Reader to determine if a plug-in is certified ("Reader enabled") only checks the Portable Executable (PE) header of the plug-in file (dynamic library). This cryptographic weakness can be used to make unsigned plug-ins appear to be certified by Adobe and loaded by Adobe Acrobat Reader regardless of the 'Certified Plug-ins Only' setting.

An intruder can exploit this vulnerability to make an unsigned plug-in appear to be certified by Adobe for use in Acrobat Reader:

• Any user induced to install a malicious plug-in with a forged digital signature into an Acrobat viewer plug_ins directory will have no way to differentiate it from other legitimately certified plug-ins (for example, by using Help->About Adobe Acrobat Plug-ins...in Acrobat Reader 5.1 for Windows).
• Any Acrobat plug-in designed to only load in certified mode in Adobe Acrobat Reader may execute in an untrustworthy computer environment, leading to other malicious behavior.
• Any PDF document created to only be loaded in Acrobat Reader certified mode may open in an untrustworthy user environment, leading to other malicious behavior.

Adobe has provided a statement regarding this issue, available here:http://www.kb.cert.org/vuls/id/JSHA-5EZQGZ

One potential workaround is to disallow all plug-ins from loading when an Acrobat viewer starts. To disable plug-in loading, press the 'Shift' key at start up.