Adobe Still Ignores Elcomsoft-Discovered Holes

evenprime writes "In 2001, Dmitry Sklyarov described vulnerabilities in Adobe Acrobat and Adobe Acrobat Reader while giving a talk at Defcon 9. As has been previously mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that Adobe, two years later, has still not patched these bugs."

Big vulnerability

[m4g02]

You missed the point, the vulnerability is a big one and doesnt involve the final user.

As you may already know many companies use PDF to realse secure documents, this companies are confident that adobe security will keep the document as read only so no llama will make changes for fun or copy paste their info.

But then we have this vulnerability where you can load a custom plugin in secure mod, this plug in could use all the privileges a secure plug in has, like for example saving an unencrypted version of the file or, why not, a pain text copy.

This sound like a big vulnerability to me, but companies that use Acrobat are the ones that should be angry.

Sklyarov

[AndrewHowe]

Even the article gets it wrong now.
Sklyarov!

Re:Acrobat isn't so wonderful...

[Zeddicus_Z]

I work as an IT admin at a publishing company. We do several magazines covering various aspects of the IT industry. PDF's are vital to our production process. Why? Well, the two biggest reasons are;

• When an advertiser sends your their ad as PDF, they can be almost 100% certain that it will appear on our systems exactly the same as it did on theirs.(*)
• When we send our magazines off for printing, we can be almost 100% certain that what the printers see on their systems is what we saw on ours(**)

Aside from the above, there are many other reasons why PDF is the industry standard in publishing (and, unlike Mac, it's a real standard. Once we weaned our designers off Apple and over to PC, they've been full of nothing but praise for the platform. Yep, that's right, we're a magazine publishing company that doesn't use Apple.)

Despite your claims, HTML is never and will never be a means of displaying content the same way across multiple platforms. Heck, it wasn't even designed for that use in the first place. People try to make HTML-formatted content look exactly the same cross-platform, but when it changes layout at the even the slightest screen resolution change, it's a lost cause.

I read the Elcomsoft post to bugtraq this afternoon, and I agree Adobe's attempt to fix the problem was, at best, a poor effort. However, their failure to fix a flaw in their application does not mean that companies can up and switch to formats that not only do not do the same basic job PDF does (consistent display cross platform), but don't even claim to do so.

*Varibles such as colour saturation, monitor differences and even things as small as the level and angle of light being cast onto a monitor affect the display. However, this does not affect the printing process.
**Once again, you have variables that are almost uncontrollable such as types of ink, non-PDF fuckups at the printer's end, etc.

Re:Excellent!

[Vendekkai]

Many of the assumptions in posts above are incorrect. I installed Acrobat 6 a month ago, and can verify these features.

1. Acrobat has a read aloud function for the visually impaired. It's not perfect, a rather tinny voice, but it is functional. I, err, listened to a chapter or so of the latest Potter book (don't ask!) while driving, and could make perfect sense of the text to speech. This function is available when read access is given to the document.

2. Adobe does warn people in the manual that pdfs are not very secure. They don't admit that Acrobat can be cracked, but the say something to the effect of "other pdf readers may not implement the pdf security features properly, and your secure document may not retain security with those readers." Of course, you can remove any pdf security with GhostScript, using a cracked dll.

Vend Ekkai

Re:NOT a problem

[Matrix272]

This "vulnerability" means that you can run plugins WITHOUT having them signed by Adobe.

THAT is the problem. Companies use Adobe Acrobat to create forms that should not be altered outside the company, like contracts, and send them to their customers to fill out. If said company can no longer trust that their customers won't be able to change text in their contract without notifying them, then Adobe Acrobat is completely meaningless.

My last job was at an ISP that would create contracts and accounting papers in Acrobat, then send them to people to fill in certain information. Sometimes, the documents could be 30-50 pages in length. It obviously would take quite a long time to manually go through and verify that nothing inappropriate (i.e. the cost of getting out of the contract) would be changed. Of course, in that case, the company deserved whatever it got, but that's beside the point.