In-Reply-To: <200303261835.h2QIZD6g027059@www.harkless.org> Dan Harkless <bugtraq@harkless.org> writes: >For those of us not familiar with Acrobat plugins, is there some facility >for the program retrieving/installing plugins automatically, or, to exploit >this would you need to entice a user to manually place your .api file in >their "plug_ins" directory (or run an installer program that would do so, in >which case you could run arbitrary code anyway in the installer)? In any case, user should install plugin (i.e. put it into an appropriate folder) manually. However, there are several ways to force user to so so ;) For example, an author can make a plug-in which will look perfectly valid -- i.e. doing something useful. Or that could be a security plug-in required to read e-books in PDF format (offered for free). Malicious code, however, can be activated at particular date, or when opening particular PDF file etc. But the main problem of this vulnerability, actually, falls into a different category. It completely compromises the whole Acrobat security model. For example, somebody can write a plug-in which allowing to save an unprotected copy of *any* DRM-enabled PDF document (doesn't matter what kind of security is being used -- FileOpen, WebBuy etc), circumventing the protection completely. Such plug-in would never be signed by Adobe (to be loaded into Acrobat, especially in "certified" mode), but using the vulnerabilities we have described, fake signature can be made -- so it will look like signed by Adobe. -- Sincerely yours, Vladimir Vladimir Katalov Managing Director ElcomSoft Co.Ltd. Member of Association of Shareware Professionals (ASP) Member of Russian Cryptology Association mailto:vkatalov@elcomsoft.com http://www.elcomsoft.com/adc.html (Advanced Disk Catalog) http://www.elcomsoft.com/art.html (Advanced Registry Tracer) http://www.elcomsoft.com/prs.html (Password Recovery Software)
