Accessibility

Support Knowledgebase

Set preferences to prevent malicious playback (Acrobat 6.0-6.0.2, Adobe Reader 6.0-6.0.2)

Issue

A vulnerability exists that could allow malicious code to access a user's computer when a malicious media file embedded in a PDF file is played by the Macromedia Flash Player on Windows or the QuickTime Player on Windows or Mac OS.

Adobe is currently unaware of any known malicious exploit of this vulnerability.

Details

The issue applies to the following file formats and Acrobat products:

-- Flash files (SWF) embedded within a PDF document

-- Flash files (SWF) embedded in a QuickTime movie that is then embedded in a PDF document

-- Adobe Acrobat 6.0-6.0.2 (Professional, Standard, and Elements)

-- Adobe Reader 6.0-6.0.2

Note: The issue does not apply to the playback of embedded Adobe Atmosphere or Windows Media Player content inside a PDF document, nor does it affect Flash content played directly within a web browser. This issue also doesn't apply to Adobe Acrobat 5.x or Acrobat Reader 5.x.

Solutions

Do one or more of the following solutions:

Solution 1: Install the update.

If you use Acrobat 6.0.2 or Adobe Reader 6.0.2, you can download install the appropriate update from the Adobe website at www.adobe.com/support/downloads/ :

-- For Windows, install the Acrobat 6.0.3 Professional and Standard update or the Adobe Reader 6.0.3 update.

-- For Mac OS, install the Acrobat 6.0.3a Professional and Standard update or the Adobe Reader 6.0.3a update.

Solution 2: Upgrade to Acrobat 7.0 or Acrobat Reader 7.0.

To upgrade to Adobe Reader 7.0, remove Adobe Reader 6.0x from the computer, and then install Adobe Reader 7.0 from the Adobe website at www.adobe.com/products/acrobat/readstep2.html .

To purchase Acrobat 7.0, visit the Adobe Store at http://store.adobe.com/store/ , or call Customer Services at 800- 833-6687 . Install Acrobat 7.0 from your installation media and uninstall Acrobat 6.x when the installer prompts you.

Solution 3: Modify the multimedia permission settings for Macromedia Flash Player and QuickTime.

As a precaution, Acrobat and Adobe Reader users can set their permissions for media players to disable playback or require user confirmation before playing Flash (SWF) or QuickTime media files embedded inside trusted or non-trusted PDF documents.

Note: In this procedure, "Acrobat product" refers to Acrobat (Professional and Standard) and Adobe Reader.

To set the Trust Manager Preferences in the Acrobat product:

1. Choose Edit > Preferences (Windows) or [Acrobat product] > Preferences (Mac OS).

2. Select Trust Manager on the left.

3. Select whether you want to display security permissions for trusted documents or non-trusted documents.

4. Select whether the trusted documents (or non-trusted documents) can open other files or launch applications.

5. Under Multimedia Permission Settings, select Allow Multimedia Operations to allow media clips to be played.

6. Select a multimedia player in the box, and then change the permission for the selected player to any of the following:

-- Select Never to prevent the player from being used.

-- Select Prompt to ask whether the player can be used. This option also lets the user decide whether to add a non-trusted document to the list of trusted documents when the user plays a media clip using the selected player.

Note: Selecting Prompt lets the user decide whether to play embedded media for that media player.

7. Repeat steps 3-6 to apply the modification to both Trusted and Non-trusted documents.

8. To clear the list of trusted documents and authors, click Reset List of Trusted Documents and Authors.

9. Click OK.

Background information

This vulnerability is fixed in the 6.0.3 and 6.0.3a updates and the 7.0 upgrade for Acrobat and Adobe Reader.

PDF documents can incorporate various types of media files that can be played by the corresponding media player (Macromedia Flash Player, QuickTime, Windows Media Player, etc.). Acrobat and Adobe Reader users can change multimedia security settings for trusted and non-trusted PDF documents in the Trust Manager panel of the Preferences dialog box. (Acrobat Elements users can change multimedia security settings for trusted and non-trusted PDF documents in the Trust Manager preferences for Adobe Reader.) For example, you can allow multimedia files to play in trusted documents and not allow them to play in non-trusted documents.

A PDF document is trusted if it is added to the list of trusted documents and authors. If a PDF document is not trusted, the user is prompted to add the document to this list when the user plays media for which the permission is set to Prompt. If the user adds a certified PDF document to the list, both the document and the author's certificate are added to the list. All PDF documents certified by this author are trusted.

For public references to this and other related issues, see the following websites:

-- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2002-1534

-- http://secunia.com/advisories/12809/


Related Documents

Document 321328
Last edited - 09/19/2006

 

Got Some Time to Take a Survey?

Tell us what you think about this support site.