Slashdot Mirror
Adobe Still Ignores Elcomsoft-Discovered Holes
evenprime writes "In 2001, Dmitry Sklyarov
described vulnerabilities in Adobe
Acrobat and Adobe Acrobat Reader while
giving a talk at
Defcon 9.
As has
been
previously
mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that
Adobe, two years later,
has still not patched these bugs."
its just a way to trick acrobat into thinking your plugin is signed. if your installing a plugin for anything you should realize it will be executing on your computer and proceed with caution. its not the hosting app's job to make sure its plugins don't do anything they're not suppose to do (imo that responsibility should fall on the os, but thats mho) - so whatever extra security added by adobe to try and prevent untrusted plugins is pure gratis
bite my glorious golden ass.
You missed the point, the vulnerability is a big one and doesnt involve the final user.
As you may already know many companies use PDF to realse secure documents, this companies are confident that adobe security will keep the document as read only so no llama will make changes for fun or copy paste their info.
But then we have this vulnerability where you can load a custom plugin in secure mod, this plug in could use all the privileges a secure plug in has, like for example saving an unencrypted version of the file or, why not, a pain text copy.
This sound like a big vulnerability to me, but companies that use Acrobat are the ones that should be angry.
Sigs are for morons... Wait a minute...
Even the article gets it wrong now.
Sklyarov!
- When an advertiser sends your their ad as PDF, they can be almost 100% certain that it will appear on our systems exactly the same as it did on theirs.(*)
- When we send our magazines off for printing, we can be almost 100% certain that what the printers see on their systems is what we saw on ours(**)
Aside from the above, there are many other reasons why PDF is the industry standard in publishing (and, unlike Mac, it's a real standard. Once we weaned our designers off Apple and over to PC, they've been full of nothing but praise for the platform. Yep, that's right, we're a magazine publishing company that doesn't use Apple.)Despite your claims, HTML is never and will never be a means of displaying content the same way across multiple platforms. Heck, it wasn't even designed for that use in the first place. People try to make HTML-formatted content look exactly the same cross-platform, but when it changes layout at the even the slightest screen resolution change, it's a lost cause.
I read the Elcomsoft post to bugtraq this afternoon, and I agree Adobe's attempt to fix the problem was, at best, a poor effort. However, their failure to fix a flaw in their application does not mean that companies can up and switch to formats that not only do not do the same basic job PDF does (consistent display cross platform), but don't even claim to do so.
*Varibles such as colour saturation, monitor differences and even things as small as the level and angle of light being cast onto a monitor affect the display. However, this does not affect the printing process.
**Once again, you have variables that are almost uncontrollable such as types of ink, non-PDF fuckups at the printer's end, etc.
Janie took my gun...
no the incident had nothing to do with rot13
you can read about it here
They characterize a new bug (oversight in the fix, see below) as having done absolutely nothing. Not very honest...
I'm pretty impressed that slashdot didn't post the inaccurate "no improvements for 2 years" title, when it is clearly a fact (based on the text of the article) that Adobe added a new, stronger signing method in version 6, as a good-faith attempt to solve this problem. Yes, "2 years" appears to be true, but that's not the 2 years from July 2001 to July 2003 (today).
Likewise, the statement at the top: "oftware released in 2003 contains vulnerabilities disclosured in 2001" gives the impression that the new version contains the exact same vulnerability, rather than an oversight in a major rework of the security mechanism that was intended to fix the bug.
It sounds like Adobe really did try to fix the problem. They implemented a new, strong signing method. They even adandoned backwards compatibility and refuse to load the old, easily forged plugins when in certified mode. As Elcom's message explains, Acrobat 6 only allows "certified" mode if all the plugins have the new, strong signatures, or if all the plugins if finds have these signatures it automatically goes into certified mode.
The real complaint appears to be an oversight that some undocument function, which is callable in uncertified mode by an unsigned plugin (or one of the legacy weakly authenticated plugins) can call this undocumented function and cause Acrobat to switch into certified mode. Quoting from the Elcom message:
So there you have it, a secutity real announcement, burried after a lengthy rant about how slow and unresponsive Adobe has been.
Yes, Adobe has a bad attitude. Yes, they fscked up and their attempt to fix the problem still has an exploitable weakness. Ok, I can buy that Adode has a bad attitude.
Elcom (or specifically, Vladimir Katalov) doesn't impress me much either, when it comes to attitude and standards of professional conduct. This angry rant attempts to paint a picture of Adobe has having still done utterly nothing to fix this problem... including a very misleading tital and summary.
Katalov sinks to the tactic of use a embedded an advisory of a weakness to attract attention to an angry rant about his frustrations with Adobe's unresponsive history.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Many of the assumptions in posts above are incorrect. I installed Acrobat 6 a month ago, and can verify these features.
1. Acrobat has a read aloud function for the visually impaired. It's not perfect, a rather tinny voice, but it is functional. I, err, listened to a chapter or so of the latest Potter book (don't ask!) while driving, and could make perfect sense of the text to speech. This function is available when read access is given to the document.
2. Adobe does warn people in the manual that pdfs are not very secure. They don't admit that Acrobat can be cracked, but the say something to the effect of "other pdf readers may not implement the pdf security features properly, and your secure document may not retain security with those readers." Of course, you can remove any pdf security with GhostScript, using a cracked dll.
Vend Ekkai
This "vulnerability" means that you can run plugins WITHOUT having them signed by Adobe.
THAT is the problem. Companies use Adobe Acrobat to create forms that should not be altered outside the company, like contracts, and send them to their customers to fill out. If said company can no longer trust that their customers won't be able to change text in their contract without notifying them, then Adobe Acrobat is completely meaningless.
My last job was at an ISP that would create contracts and accounting papers in Acrobat, then send them to people to fill in certain information. Sometimes, the documents could be 30-50 pages in length. It obviously would take quite a long time to manually go through and verify that nothing inappropriate (i.e. the cost of getting out of the contract) would be changed. Of course, in that case, the company deserved whatever it got, but that's beside the point.
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
No, the Portable Document Format (PDF) IS secure. The hole is actually in loading plugins at startup. While a plugin could, of course, modify the display or something of a PDF, the format itself is secure (at least as far as we know). Just FYI.