main

Adobe Acrobat PDF viewers contains flaw

Michel   on 27 March 2003 - 14:17 · 8 comments & 2201 views

Advertisement (Why?)
This may seem old news and was indeed already discovered in 2001, but even though Adobe has been notified about it, no fix exists today. [Michel]

Acrobat plug-ins can be digitally signed to determine whether they should be loaded by Adobe Acrobat Reader at startup. This digital signature mechanism is not cryptographically strong and allows other potentially-malicious plug-in code to pretend to be certified by Adobe and be executed by Acrobat Reader even when in 'Certified Plug-ins Only' mode.

The digital signature mechanism used by Adobe Acrobat and Adobe Acrobat Reader to determine if a plug-in is certified ("Reader enabled") only checks the Portable Executable (PE) header of the plug-in file (dynamic library). This cryptographic weakness can be used to make unsigned plug-ins appear to be certified by Adobe and loaded by Adobe Acrobat Reader regardless of the 'Certified Plug-ins Only' setting.

View: CERT/CC Vulnerability Note VU#549913 : Contains the full details including a workaround
News source: WebWereld (Dutch)


An intruder can exploit this vulnerability to make an unsigned plug-in appear to be certified by Adobe for use in Acrobat Reader:
  • Any user induced to install a malicious plug-in with a forged digital signature into an Acrobat viewer plug_ins directory will have no way to differentiate it from other legitimately certified plug-ins (for example, by using Help->About Adobe Acrobat Plug-ins...in Acrobat Reader 5.1 for Windows).
  • Any Acrobat plug-in designed to only load in certified mode in Adobe Acrobat Reader may execute in an untrustworthy computer environment, leading to other malicious behavior.
  • Any PDF document created to only be loaded in Acrobat Reader certified mode may open in an untrustworthy user environment, leading to other malicious behavior.

Share this Article

About the Author

Full name: Unknown
User name: Michel
Contact: via forum PM
Submissions: View All
More: View Profile

Related news

Post a comment · Send to friend Comments · There are 8 additional comments
(1 reply) #1 dougkinzinger on 27 Mar 2003 - 14:57
i'm ready for acrobat 6.0...it needs to catch up with the Winders XP folk such as myself (in reference to the interface)
#1.1 macrosslover on 27 Mar 2003 - 15:01
[neoquote=#1.0 by dougkinzinger]i'm ready for acrobat 6.0...it needs to catch up with the Winders XP folk such as myself (in reference to the interface)[/neoquote] the interface looks fine on my system. amazing i never saw a single article about this on cnet or zdnet, but let there be the smallest flaw in the smallest microsoft program and it will be on the website for the entire week with 1000 comments. oh well what do you expect...responsible journalism? lol
#2 Jason on 27 Mar 2003 - 15:05
Acrobat 6 is out Quarter 2 of this year apparently.
#3 username on 27 Mar 2003 - 16:40
yeah, the flaw is it uses ~20megs of ram
#4 Hills420 on 27 Mar 2003 - 16:42
why don't they just release a patch insted a of "Hold the shift button at start up"
#5 DrunkenMaster on 27 Mar 2003 - 21:51
Funny how the digital signature is supposed to protect the user and instead could be used to infect a computer w/ a virus.
(1 reply) #6 Michael Lerner on 27 Mar 2003 - 23:40
not surprised, Adobe makes insecure bloated software.
#6.1 Hawkeye on 28 Mar 2003 - 00:03
[neoquote=#6.0 by Michael Lerner]not surprised, Adobe makes insecure bloated software.[/neoquote] Yes, I'm sure. Can you name two Adobe products (excluding the Acrobat family) that would fit that description you provided?

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.879) © 2000 - 2008 Neowin.net