Adobe PDF Security Plugins & Plug-in Vulnerabilities

PDF Plug-in Vulnerabilities & Acrobat Reader Security

Plug-ins are dangerous.  If you are relying on plug-ins for your security you might want to be aware that they may not have all the security that some manufacturers like to claim.

“Because of the plug-in architecture of Acrobat and PDF readers, it makes PDF a less-secure platform for DRM” – ElcomSoft CEO Vladimir Katalov

Adobe PDF plugins

In the PDF world it is commonplace to use plug-ins to provide extra functionality and features.  But they are known to also create security holes.  The highly respected CERT organization reported the following in respect of the Adobe system:

http://www.kb.cert.org/vuls/id/JSHA-5PAMS7

However, it is openly admitted that ‘legitimate’ plug-ins may compromize the security of a system.  We reproduce some of the text published in the CERT report:

“Developers can freely write plug-ins for Adobe Acrobat.  An Adobe Reader plugin requires a license agreement and an enabling key from Adobe as part of the Adobe Reader Integration Key License Agreement (IKLA).  The purpose of the Reader enabling plugin architecture and IKLA is for licensing only and does not imply suitability or endorsement by Adobe of third party plug-ins.  The Certified Mode of both Adobe Acrobat and Adobe Reader is used to provide added assurances that only plug-ins provided by Adobe are compatible.  All third party plug-ins are restricted to non-certified mode.”

And

“Be careful not to install untrusted software, including non-certified Adobe plug-ins (those not signed and deployed by Adobe), unless absolutely certain of the origin and integrity of such software.  Unverified non-certified plug-ins can be removed from the plug-ins directory, and they will no longer load at startup.”

So what does this all mean?

1. A company may have an IKLA with Adobe Systems, but that does not mean that their product is certified as fit for purpose and is not vulnerable to weaknesses in the system or does not create weaknesses in the system.
2. If you examine the licensing system in force at the date if this article, anyone can write a plug-in for Adobe Acrobat Standard or Professional without obtaining an IKLA.  That means any third party can write a perfectly valid and appropriate plug-in that extracts text from an open PDF document without it having been deliberately designed to break any security systems.  Unfortunately, by it’s very nature it does just that.  There are many legitimate plug-ins on the market today that have this capability which are not hacking tools and were not developed for that purpose.

We respect the advice given by CERT, but note that if an attacker permits the loading of unverified non-certified plug-ins (which happens by default in all versions of Adobe unless you specifically check a box to say otherwise) they may introduce vulnerabilities.  Of course, one must assume that this is precisely what any attacker would therefore do.

Normal users familiar with their desktop plug-ins can hardly be criticized for using non-certified plug-ins when you can hardly expect them to understand any of these arcane technical issues, still less comply with them.

Adobe PDF plugins and certified mode “protection”

There are many Adobe Acrobat and Adobe Reader plug-ins that can load (by design) only in certified mode. One example is all documents protected with “Adobe DRM” security handler (so-called eBooks).  Certified mode assures that all other plug-ins, loaded with those ones, have been also certified by Adobe.  However, with this vulnerability, the plug-in with forged signature can perform virtually everything, including but not limited to:

• removing or modifying any restrictions (from copying text to Clipboard, printing etc) from the documents loaded into Adobe Acrobat or Adobe Reader
• remove any DRM (Digital Rights Management) schemes from PDF documents, regardless the encryption handler used – WebBuy, InterTrust DocBox, Adobe DRM (EBX) etc.
• modify or remove digital signatures used within a PDF document
• affect any/all other aspects of a document’s confidentiality, integrity and authenticity.

Locklizard security cannot be compromised by plug-ins because we prevent all plug-ins from being loaded so that no vulnerabilities can be introduced.

Still think plug-ins are safe?

Don’t just take our word for it, if you think plug-ins can’t compromise your security then read what Byran Guignard, an Adobe Certified expert, has to say.

The following white paper, Plug-ins – a source of insecurity, examines and questions the claims often made by plug-in suppliers that they are secure, giving published examples of where they are not.   It demonstrates why you should not purchase a document security solution that relies on plugins.

See also PDF security flaws.