mailing list archives
Re: Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged
From: Melvyn Sopacua <msopacua () idg nl>
Date: Mon, 24 Mar 2003 18:03:15 +0100
-----BEGIN PGP SIGNED MESSAGE-----
At 13:02 3/24/2003, Vladimir Katalov wrote:
However, the implementation of certification mechanism is weak, and
easy to write a plug-in that will look like one certified by Adobe,
will be loaded even in 'trusted' mode. Such plug-in can execute ANY
-- i.e. perform file operations (read/write/execute), access Windows
[ ... ]
3. 'Trusted' mode is activated automatically by Adobe Acrobat/Reader
when it loads documents that are protected using various DRM
Rights Management) schemes such as WebBuy, InterTrust DocBox etc --
prevent protected contect from being saved with protection stripped.
However, a plug-in with 'fake' certificate can be loaded anyway, and
so it will be able to do anything with DRM-protected documents, e.g.
altering or removing security options.
Q: how is the chicken and egg problem circumvented here? Social
Or is there a similar mechaniscm like HTML Object tags, where plugin
embedded in the document and (semi-) automically installed?
Met vriendelijke groeten / With kind regards,
<@JE> Hosting: $5 per month. Domain name: $15, your site being down
twice a week: Priceless.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
-----END PGP SIGNATURE-----