A plugin from one manufacturer can stop a plugin from another manufacturer from:
- not working correctly
- not working at all
- changing what controls it enforces
PDF Plug-in Vulnerabilities & Acrobat Reader Security
Plug-ins are dangerous. If you rely on plug-ins for your PDF security then you should be aware that they may not have all the security that some manufacturers claim.
“Because of the plug-in architecture of Acrobat and PDF readers, it makes PDF a less-secure platform for DRM” – ElcomSoft CEO Vladimir Katalov.
While PDF security plugins may seem convienient, they require Admin rights to install and can put your protected PDF documents at risk.
Adobe Plug-ins and PDF Plugin Security issues
In the PDF world it is commonplace to use plug-ins to provide extra functionality and features. But they are known to also create security holes. The highly respected CERT organization reported the following in respect of the Adobe system:
However, it is openly admitted that ‘legitimate’ plug-ins may compromize the security of a system. We reproduce some of the text published in the CERT report:
“Developers can freely write plug-ins for Adobe Acrobat. An Adobe Reader plugin requires a license agreement and an enabling key from Adobe as part of the Adobe Reader Integration Key License Agreement (IKLA). The purpose of the Reader enabling plugin architecture and IKLA is for licensing only and does not imply suitability or endorsement by Adobe of third party plug-ins. The Certified Mode of both Adobe Acrobat and Adobe Reader is used to provide added assurances that only plug-ins provided by Adobe are compatible. All third party plug-ins are restricted to non-certified mode.”
“Be careful not to install untrusted software, including non-certified Adobe plug-ins (those not signed and deployed by Adobe), unless absolutely certain of the origin and integrity of such software. Unverified non-certified plug-ins can be removed from the plug-ins directory, and they will no longer load at startup.”
We respect the advice given by CERT, but note that if an attacker permits the loading of unverified non-certified plug-ins (which happens by default in all versions of Adobe unless you specifically check a box to say otherwise) they may introduce vulnerabilities. Of course, one must assume that this is precisely what any attacker would therefore do.
Normal users familiar with their desktop plug-ins can hardly be criticized for using non-certified plug-ins when you can hardly expect them to understand any of these arcane technical issues, still less comply with them.
There are many Adobe Acrobat and Adobe Reader plug-ins that can load (by design) only in certified mode. One example is all documents protected with “Adobe DRM” security handler (so-called eBooks). Certified mode assures that all other plug-ins, loaded with those ones, have been also certified by Adobe. However, with this vulnerability, a plug-in with forged signature can perform virtually everything, including but not limited to:
Don’t just take our word for it, if you think plug-ins can’t compromise your security then read what Byran Guignard, an Adobe Certified expert, has to say.
The following white paper, Plug-ins – a source of insecurity, examines and questions the claims often made by plug-in suppliers that they are secure, giving published examples of where they are not. It demonstrates why you should not purchase a document security solution that relies on plugins.
See also PDF security flaws.
If you cannot rely on a PDF security plugin working as expected (not conflicting or circumvented by other plugins) and failing to operate when Acrobat is frequently updated then the plugin is effectively useless.
Why and how APIs and plug-ins can compromize security
Why Locklizard for PDF Protection?