Adobe Acrobat PDF viewers contains flaw

This may seem old news and was indeed already discovered in 2001, but even though Adobe has been notified about it, no fix exists today. [Michel]

Acrobat plug-ins can be digitally signed to determine whether they should be loaded by Adobe Acrobat Reader at startup. This digital signature mechanism is not cryptographically strong and allows other potentially-malicious plug-in code to pretend to be certified by Adobe and be executed by Acrobat Reader even when in "Certified Plug-ins Only" mode.

The digital signature mechanism used by Adobe Acrobat and Adobe Acrobat Reader to determine if a plug-in is certified ("Reader enabled") only checks the Portable Executable (PE) header of the plug-in file (dynamic library). This cryptographic weakness can be used to make unsigned plug-ins appear to be certified by Adobe and loaded by Adobe Acrobat Reader regardless of the "Certified Plug-ins Only" setting.

View: CERT/CC Vulnerability Note VU#549913 : Contains the full details including a workaround

News source: WebWereld (Dutch)

Report a problem with article
Next Article

nVIDIA 43.45 9x/ME/2000/XP drivers released

Previous Article

Logitech MouseWare Driver 9.76 build 046