Slashdot Mirror
Adobe Still Ignores Elcomsoft-Discovered Holes
evenprime writes "In 2001, Dmitry Sklyarov
described vulnerabilities in Adobe
Acrobat and Adobe Acrobat Reader while
giving a talk at
Defcon 9.
As has
been
previously
mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that
Adobe, two years later,
has still not patched these bugs."
its just a way to trick acrobat into thinking your plugin is signed. if your installing a plugin for anything you should realize it will be executing on your computer and proceed with caution. its not the hosting app's job to make sure its plugins don't do anything they're not suppose to do (imo that responsibility should fall on the os, but thats mho) - so whatever extra security added by adobe to try and prevent untrusted plugins is pure gratis
bite my glorious golden ass.
You missed the point, the vulnerability is a big one and doesnt involve the final user.
As you may already know many companies use PDF to realse secure documents, this companies are confident that adobe security will keep the document as read only so no llama will make changes for fun or copy paste their info.
But then we have this vulnerability where you can load a custom plugin in secure mod, this plug in could use all the privileges a secure plug in has, like for example saving an unencrypted version of the file or, why not, a pain text copy.
This sound like a big vulnerability to me, but companies that use Acrobat are the ones that should be angry.
Sigs are for morons... Wait a minute...
Even the article gets it wrong now.
Sklyarov!
- When an advertiser sends your their ad as PDF, they can be almost 100% certain that it will appear on our systems exactly the same as it did on theirs.(*)
- When we send our magazines off for printing, we can be almost 100% certain that what the printers see on their systems is what we saw on ours(**)
Aside from the above, there are many other reasons why PDF is the industry standard in publishing (and, unlike Mac, it's a real standard. Once we weaned our designers off Apple and over to PC, they've been full of nothing but praise for the platform. Yep, that's right, we're a magazine publishing company that doesn't use Apple.)Despite your claims, HTML is never and will never be a means of displaying content the same way across multiple platforms. Heck, it wasn't even designed for that use in the first place. People try to make HTML-formatted content look exactly the same cross-platform, but when it changes layout at the even the slightest screen resolution change, it's a lost cause.
I read the Elcomsoft post to bugtraq this afternoon, and I agree Adobe's attempt to fix the problem was, at best, a poor effort. However, their failure to fix a flaw in their application does not mean that companies can up and switch to formats that not only do not do the same basic job PDF does (consistent display cross platform), but don't even claim to do so.
*Varibles such as colour saturation, monitor differences and even things as small as the level and angle of light being cast onto a monitor affect the display. However, this does not affect the printing process.
**Once again, you have variables that are almost uncontrollable such as types of ink, non-PDF fuckups at the printer's end, etc.
Janie took my gun...
Seriously? You gotta link? Adobe products have been one of the cornerstones of software applications for the Mac for many years.
Seriously!
Hank! White!
no the incident had nothing to do with rot13
you can read about it here
>> The only thing that runs well on all flavours of MS OSes from DOS to XP is viruses!
You overrate viruses. Take it from someone who works at an AV company and who spent 2 years in the virus analysis team, roughly 90% of them fail to do part or all of what their writer intended to do.
Viruses are not an exclusion to your law-of-patchiness.
-
They characterize a new bug (oversight in the fix, see below) as having done absolutely nothing. Not very honest...
I'm pretty impressed that slashdot didn't post the inaccurate "no improvements for 2 years" title, when it is clearly a fact (based on the text of the article) that Adobe added a new, stronger signing method in version 6, as a good-faith attempt to solve this problem. Yes, "2 years" appears to be true, but that's not the 2 years from July 2001 to July 2003 (today).
Likewise, the statement at the top: "oftware released in 2003 contains vulnerabilities disclosured in 2001" gives the impression that the new version contains the exact same vulnerability, rather than an oversight in a major rework of the security mechanism that was intended to fix the bug.
It sounds like Adobe really did try to fix the problem. They implemented a new, strong signing method. They even adandoned backwards compatibility and refuse to load the old, easily forged plugins when in certified mode. As Elcom's message explains, Acrobat 6 only allows "certified" mode if all the plugins have the new, strong signatures, or if all the plugins if finds have these signatures it automatically goes into certified mode.
The real complaint appears to be an oversight that some undocument function, which is callable in uncertified mode by an unsigned plugin (or one of the legacy weakly authenticated plugins) can call this undocumented function and cause Acrobat to switch into certified mode. Quoting from the Elcom message:
So there you have it, a secutity real announcement, burried after a lengthy rant about how slow and unresponsive Adobe has been.
Yes, Adobe has a bad attitude. Yes, they fscked up and their attempt to fix the problem still has an exploitable weakness. Ok, I can buy that Adode has a bad attitude.
Elcom (or specifically, Vladimir Katalov) doesn't impress me much either, when it comes to attitude and standards of professional conduct. This angry rant attempts to paint a picture of Adobe has having still done utterly nothing to fix this problem... including a very misleading tital and summary.
Katalov sinks to the tactic of use a embedded an advisory of a weakness to attract attention to an angry rant about his frustrations with Adobe's unresponsive history.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Many of the assumptions in posts above are incorrect. I installed Acrobat 6 a month ago, and can verify these features.
1. Acrobat has a read aloud function for the visually impaired. It's not perfect, a rather tinny voice, but it is functional. I, err, listened to a chapter or so of the latest Potter book (don't ask!) while driving, and could make perfect sense of the text to speech. This function is available when read access is given to the document.
2. Adobe does warn people in the manual that pdfs are not very secure. They don't admit that Acrobat can be cracked, but the say something to the effect of "other pdf readers may not implement the pdf security features properly, and your secure document may not retain security with those readers." Of course, you can remove any pdf security with GhostScript, using a cracked dll.
Vend Ekkai
This "vulnerability" means that you can run plugins WITHOUT having them signed by Adobe.
THAT is the problem. Companies use Adobe Acrobat to create forms that should not be altered outside the company, like contracts, and send them to their customers to fill out. If said company can no longer trust that their customers won't be able to change text in their contract without notifying them, then Adobe Acrobat is completely meaningless.
My last job was at an ISP that would create contracts and accounting papers in Acrobat, then send them to people to fill in certain information. Sometimes, the documents could be 30-50 pages in length. It obviously would take quite a long time to manually go through and verify that nothing inappropriate (i.e. the cost of getting out of the contract) would be changed. Of course, in that case, the company deserved whatever it got, but that's beside the point.
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
No, the Portable Document Format (PDF) IS secure. The hole is actually in loading plugins at startup. While a plugin could, of course, modify the display or something of a PDF, the format itself is secure (at least as far as we know). Just FYI.
This is also part of the American way: Harvard Business School of Management started preaching a long time ago (late '70's to early '80's) that managers just didn't need to know anything technical about the business they were managing to run it effectively.
Obviously this was good for Harvard business school graduates and, by association, for the Harvard business school itself, but it has been disastrous for American business.
Sadly, yes. Seriously... But just Premiere. So far. Too much competition from Final Cut Pro.
I had a sucky sig.
Adobe is selling a lie. You can't promise a "secure" digital format. If you give me a buch of bytes, I can change it. Hell, if you give me a piece of paper, I can change it. All you can do about it is offer a reference and detect the change. Even then, someone might sneak in and change your reference. The whole secure digital thing is bullshit.
Friends don't help friends install M$ junk.
read only security on a PDF.. just install Acrobat 4.0, open a protected PDF, and print to Distiller. It'll make an exact replica of the document that is writable :)
This reminds me of what's happened with Microsoft's Reader - although the significant difference there is that (after 6 months) they did actually bother to try to patch the hole (Convert LIT version 1.2 does not work with the updated version of Reader). They didn't do a particularly good job though, and so a few days later Convert LIT 1.4 was released.
It's even more damning because Adobe just recently upgraded their PDF Reader software from version 5 to version 6, yet have failed to patch this particular problem. You'd think that somewhere among all the features (?) added between two major releases they'd have found time for this.
Working in a software development shop with a corporate attitude, I can understand why this didn't get fixed.
In the statement they issued in response to CERT's advisory on this, they address the issue as an end-user security issue, not a DRM issue. Since they essentially claim it's really not a big deal, their development side probably considers it resolved.
With the arrest and no other obvious targets on the radar, their business & legal side probably also consider it resolved, but probably only because they consider it a case of DMCA violation and not a Big Freaking Hole in their product's DRM functionality.
/.
...at... Alameeda?" Poor guys were totally baffled.
You acuse others of misleading statements... but I was actually at defcon9, and was in the audience during Dmitry's presentation. I think you were not.
Elcomsoft did not sell an exploit tool. They sold a companion product for a flawed piece of commercial software. (Just like the companies that sell antiviruses for windows.) This product allowed users to exercise their legal rights under Russian law.
Dmitry did not "announce the exploit at defcon". He gave a presentation detailing weaknesses in a commercial product. These weaknesses were already well known to exist, since Elcomsoft's extant commercial products took advantage of them, thus there was no "announcement".
I personally saw no distribution of either the (russian-legal) Elcomsoft product or of any mythical "polished, for-profit exploit", although I admit that I left early. I do not know of any person who proveably received any software from Dmitry, and everyone I know who was present did not receive any software at that presentation.
"The nuclear wessels?
--Charlie