Title: Adobe Acrobat Plug-In Forged Digital Signature Vulnerability
Severity: MODERATE
Description:
Adobe Acrobat and Acrobat Reader are applications that allow .pdf documents to be viewed.
Both Acrobat and Acrobat Reader allow the installation of various plug-in modules to extend functionality. Plug-ins can only be loaded if they are signed with the "Reader Integration Key", or, in some cases, only if they are certified as trusted. In order to be certified as trusted, the plug-in must be signed by Adobe.
The certificate validating algorithm used by Acrobat only verifies information contained within the portable executable header of the plug-in. This could allow changes to be made to the plug-in that do not affect the PE header to retain a valid signature.
This could allow blocks of code within the plug-in to be modified to perform malicious actions, or the plug-in could be modified to call another untrusted plug-in and pass control to it.
It should be noted that patched versions may still load plug-ins that have certificates designed for Acrobat and Acrobat Reader 4 and 5 releases. If a malicious plug-in is loaded, it will be able to patch the CTIsCertifiedMode function, which could bypass the security model of the software. This could also be exploited to tamper with the integrity and validity of documents, which includes removing DRM or altering any restrictions on a document. Patched versions of the software will still be prone to these consequences in circumstances where a malicious plug-in is loaded, such as when the software is running in Non-certified mode.
** Reports indicate that a virus exists that exploits this vulnerability in order to propagate.
Affected Products:
- Adobe Acrobat 4.0.0
- Adobe Acrobat 4.0.0 5
- Adobe Acrobat 4.0.0 5c
- Adobe Acrobat 4.0.5 A
- Adobe Acrobat 5.0.0
- Adobe Acrobat 5.0.5
- Adobe Acrobat Reader 4.0.0
- Adobe Acrobat Reader 4.0.0 5
- Adobe Acrobat Reader 4.0.0 5c
- Adobe Acrobat Reader 4.0.5 A
- Adobe Acrobat Reader 5.0.0
- Adobe Acrobat Reader 5.0.5
References:
- Adobe: Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch - English
- CERT: Vulnerability Note VU#549913
- McAfee: W32/Yourde
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
