Slashdot Mirror
Adobe Still Ignores Elcomsoft-Discovered Holes
evenprime writes "In 2001, Dmitry Sklyarov
described vulnerabilities in Adobe
Acrobat and Adobe Acrobat Reader while
giving a talk at
Defcon 9.
As has
been
previously
mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that
Adobe, two years later,
has still not patched these bugs."
Maybe more companies will bait their software with easy exploits to snare those who try to circumvent it
If nothing else, it gives the companies an excuse to their shareholders for shoddy coding.
As I have said before, one of my friend is blind.
Have you got any idea how fscking difficult it is for the poor chap to read "protected"[1] PDF files? Trust me, it's pure hell!!
At least, since Adobe has decided to pull an MS on its users and ignore known problems, maybe I'll be able to crack some of these protected files for my friend, so that he can read them.
So, there are, er, ahem... unexpected benefits to this sh___y Adobe attitude...
Just my US$ 0.02...
[1] "Protected" as in: "can't print, can't copy, can't save as". Yes, Virginia, you can create that kind of PDF files!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Perhaps Adobe should work with Lexmark to help them out with the crypto coding; you know, that great company that protects the consumer against accidentally using cheap ink with strong cryptographic chips. Then Adobe could not only provide a PDF option to prevent you from printing a document, they could also enforce that if printed, a PDF document will only be printed with 100%-genuine Lexmark toner. Oh, I see another option with Kodak here, perhaps by embedding RFID tags directly in that specical Kodak paper.
BTW, did anyone notice that with the latest PDF specification, version 1.5, which corresponds to Acrobat 6, that they added verbage to the copyright/license part to enforce that all software which implements the PDF specification must obey all those stupid magic security bits? They claim the specification is open and free for anybody to develop software around it, but that since the "format" is copyrighted all independently developed software must obey their fragile DRM schemes. How in the world can they copyright a format; sure their specification is copyrighted being a printed work, but the "format"?
I, personally, would like to make my annoyance at this situation known.
Who do we contact at Adobe? How do we make a serious stink about this? Are the board members of this company contactable somehow? I'd go to the effort of writing a decent letter explaining to them their stupidity and callousness, if I knew where to send it.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
As soon as you implement this, we can talk.
Until Java is supported well cross-platform, and as soon as you can somehow get people to obey all your PHP-HTML-Java rules, then be queit.
The beauty of PDF, is exactly it's name Portable Document Format just about every platform supports PDF in one form or another, besides a couple ignored security holes here and there, I think PDF is a functional format.
You can have formatted text and images, looking the same on just about every platform that has a GUI.
Error 407 - No creative sig found
After all, we knew the DMCA would have this effect on companies and software, where bugfixes are unnecessary by litigation.
Why fix software when we can send lawyers and make examples and burning effigies instead?
Doing the Right Thing should not be preempted by making a buck.
HTML and others do not reproduce content as faithfully as PDF does. A better replacement is good old PostScript: the only downside of PS is that it takes up about 2.5 as much space as the equivalent PDF.
Incidentally, does anyone know of any patents or copyrights on PS?
PDF has many advantages, but that isn't one of them. You generally use vector fonts in HTML (such as Truetype Arial and Times). When I zoom a HTML page, the type stays smooth. However, graphics in HTML are only bitmap (jpeg, gif, png), and these may not scale so nicely. PDF generally includes images as jpegs, but also can have vector graphics.
As far as I know, most viruses in their execution work using common OS scripts and commands.
As far as I know, most Windows viruses can't spread without either 1. opening an outgoing connection on SMTP's port, 2. telling Outlook to open an outgoing connection on SMTP's port, or 3. opening executables installed by the administrator for writing. Not giving unknown programs the capability to do this would stop viruses from spreading. This is possible even in a Windows environment: don't allow unknown programs to open connections to ports they have no business with (e.g. only Postfix should open an SMTP session), don't give users the right to overwrite files outside of the temp directory and the user's home directory, and run executable e-mail attachments as the Guest user.
Will I retire or break 10K?
This really shouldn't surprise anyone. The DMCA gives companies a right to sue if you reverse engineer an encyption device. But the DMCA offers no protecting to the consumer by requireing a company to FIX the problem.
Besides /., this story has not had a whole lot of publicity. Add to that the fact that most people wouldn't know how to decrypt the e-books (and, more importantly, probably don't all that much care), there really isn't much incentive for Adobe to fix it.
The puzzling thing to me is that it seems like it really wouldn't cost all that much to fix. I mean, it is a patch afterall and every friggin time I start up Photoshop Elements it is downloading some update (though not sending any of my personal information... hehe!).
IAAL, so what I start to think is: Does Adobe have any liability for failure to patch the software when an author loses money because his or her ebook is pirated? No doubt in advertising and selling the software, Adobe touted the encryption as a safety feature. Contributory infringement, maybe? Misrepresentation? A warranty theory? Hmm....
Adobe is trying to tell customers that they have a format in which you can send a document to someone, and that document will only be readable on that one computer, or will not be printable, or will not be copyable to the clipboard or whatever.
This is fundamentally impossible. If my computer can display the document on screen for me, then this means that the computer MUST have all the required information to do so. This includes any and all secret keys if the document is encrypted and so on.
This implies that the computer also has all the info needed to print the document, or copy it to the clipboard or whatever. Now, Adobes product could only work if the computer "knew" how to do this, but refused to do it anyway, in other words, if the computer was not obeying the end-user.
This is possible with secure hardware and similar that refuse to run code that is not digitally signed by the real master (not the end-user and owner!). But with the current computers that happily run anything you the user want in priviledged mode it is not possible.
Sure they could, and probably should, patch this spesific hole. But there's nothing Adobe can do to make they so-called "secure pdf" actually do what they claim it will do. And they know it.
The DMCA sucks, Adobe is unresponsive, and Dmitry shoulda been released promptly.... but regardless of all that, everybody should remember that we're dealing with a for-profit company that discovered weaknesses and first created and SOLD for-profit exploits and went on a campaign to promote it... and only reported to CERT after a legal battle that forced them to pull their commercial exploit product from the market.
PJRC: Electronic Projects, 8051 Microcontroller Tools
>You generally use vector fonts in HTML (such as Truetype Arial and Times).
Sure, go ahead and specify those fonts. Is my Lynx text mode console browser going to render them? What you mean is that it should look as you intended on (e.g.) IE 6.0.2800.1106.xpsp2.030422-1633 on XP Home build 2002 SP1 English with the exact fonts that you had on your machine when you created it.
If you were blocking sigs, you wouldn't have to read this.
Of course a manager can't run something he doesn't understand. But modern business theory says that the product (or technology) doesn't matter. All that matters - all - is your cash-flow strategy. Of course, this theory couldn't possibly be wrong and responsible for the collapse of the domestic tech industry (or the economic depression in general). No, that must be because tech is "commoditizing" and there's nothing new to do, right?
Of course, this doesn't work. Like outsourcing and moving jobs overseas to people willing to work for 1% of the salary because they need to avoid starvation, it winds up causing more economic harm than good. But it looks good on the next quarter earnings report, so it must be worthwhile.
"I have been hard-working during 18 months in an American Corp, I know what it is about."
That's just about the silliest thing I've ever read there, Mirko. It would be just as silly for me to say "I've been to Paris twice, so I know what French people are all about, arrogant and stinky!"
Please leave absurd generalizations to the trolls.
"oohhh... I didn't know Schopenhauer was a philosopher!"
Too many people don't pay attention to where their plug-ins and other downloads come from - that is where a big part of the problem starts. End users need to own up to that fact that when a warning comes up about an unsigned or questionable certificate, they need to ask some serious questions before installing.
Sure, Adobe still has a "vulnerability" in the strict sense of the word, and if they want to continue marketing a weak security product, that is their business. In my opinion, their inspired release of Acrobat Elements will make Adobe a bigger player and Acrobat a major product. Going in to this with a problem is just bad business and will not help them. And whacking the messenger with the DMCA is definitely not a solution!
Of course, you can remove any pdf security with GhostScript, using a cracked dll.
You don't need to crack the dll - you could just take the open source version, change the source, and compile it.
"Cracked dll" sounds sexier, I suppose ;) After all, only evil hackers would want to defeat "PDF security" :)
NOTE: The main problem is they don't sic the lawyers, the lawyers sic themselves.
The lawyers see this and get all huffy, and complain to management with a bunch of mumbojumbo and entice them into letting them sue. Its how they get paid. If they are not suing anyone their personal value decreases.
If programmers took the same attitude, they would be complaining about the HOLE just as the lawyers complain about the information.
I don't know if that last bit was a troll or not, if so you got some of us. Adobe will continue to make Mac programs for a long time. They are only dropping support for Premiere, because other products have taken over the high end and iMovie has taken over the low end of the video editing market. Hardly anybody uses Premiere anymore on a Mac.
bp
Well, I don't want to sound like a jerk, but it's not my problem, and security settings (often applied inappropriately or inadvertently) cause me a lot of hassles.
Actually, if such a change to a contract was made it would be easy to prove when it came to light and grounds for criminal charges, (forgery, fraud, whatever). The same as someone making changes to a paper contract. This is a case of using technical means to "enforce" legalities, and in the process inconveniencing the vast majority of PDF users who use it to transfer and use artwork in publishing. Security was an afterthought, and has never worked well, and I'm happy with that.
Anecdote: Almost 20 years ago, when Adobe introduced PostScript, they tried to keep it proprietary. Fonts in particular were encrypted, and for a long time only Adobe knew how to make real Type 1 fonts, which were very expensive. Then the format was reverse engineered, and we had dozens, then hundreds of alternate sources of quality fonts much cheaper. Adobe eventually opened the format when Truetype appeared which was an open format from the beginning.
It obviously would take quite a long time to manually go through and verify ...
This could be easily automated, (I can think of several methods off the top of my head, I'm sure you can too) and since this "vulnerability" has been known for two years or more, and is still open, maybe you should be doing that now.
Couldn't agree with you more, I'm quite convinced that American companies are all about taking the easy way, in technology and elsewhere. I can't tell you how many times my managers have tried to convince me "the right thing" was building a substandard product, or screwed up a product by doing something that SOUNDS good to a roomfull of suits but is in reality incredibly stupid and shortsighted.
Engineers have to share some of the blame however, I can't tell you how many good engineers refuse to go in to management because they honestly beleive they are incapable (by virtue of being an engineer and not the best-people persons) or because they don't wnat to turn into their present manager and make those boneheaded decisions. Part of being a good engineer or manager is learning how to tell the boss to shove it when he asks you to do something wrong. Good bosses (technical or not) won't hold it against you as long as you're polite. Bad bosses don't deserve your help. Either way, bad management starts with bad understanding of technology, and gets worse with overly docile (and job-scared) engineers. People skills have value, but lets face it, knowing how a good widget gets built is more important.
The reality is: Adobe is closing small windows, but leave the large door opened. This is absolutely senseless and silly. The whole security model of Adobe software is close-to-fake, and have to be re-weritten from scratch.
;) Just don't be surprised when you'll find your credit card numbers, private documents etc publically available for anyone -- due to the simple reason that vendors fail to fix the bugs in their software.
Btw, the "new" problem (about possibility of memory patching) is as old as Adobe Acrobat Reader is, and well-known to Adobe for even more that two years.
But feel free to think about our reasons for publishing the vulnerabilities
The parent might be flamebait, but it is also insightful.
.doc format and find a Windoze machine somewhere around (or a Mac, or *nix with OpenOffice, or anything else).
.html file, or even a .doc file (as proprietary as it is).
Adding artificial limitations to computer programs is stupid. PDF format is evil and serves little valid purposes. One of them is remote printing - sending an electronic copy to someone else, who can print it and have the print layout preserved. But if you need to print the document, you can probably get it in
Unfortunately, most people don't use PDFs for printing, they use PDFs to read the documents on the computer, using their screens, not paper. And treating the electronic document as a paper one (even with continuos pages) is extremely stupid. If we judge Acrobat Reader not on the basis of how similar documents look on PalmOS PDA and on some Weird (tm) computer with some Queer OS (tm), but on the basis of its reader functionality, it will probably get rated only 4/10, not more. There are millions of important and useful features >>>that are missing in Acrobat Reader. Like automatically opening the document at the same position where you was reading it last time (and remember my settings, not document defaul settings). Or changing the fonts/colour/background as it suits this individual user. Or the ability to make notes, highlight text, doodle on the margines, etc. (not in the Adobe Acrobat, but in the Acrobat Reader, where they are actually needed). And the ability to start up instantly (what good is a reference book if you're unable to check it quickly?).
And please don't forget that if you give the fool the ability to create PDF files, the biggest problem is that he will use it. There are too many PDF files and most often the same task can be done MUCH better by an
In short, the Acrobat Reader is actually crap, it is total crap, it is a lame piece of crap or, as the parent so elegantly put it, it is a "fucking nazi peice of shit".
Future Wiki -- If you don't think about the future, you cannot have one.
Your post is interesting and informative, but slightly off-topic. It boils down to the fact that PDF is good for publishing industry. Sure, but the story is about ebooks.
:) :)
1) While PDF is a good solution (as I already said in another post) for remote printing, the applications supporting it (Acrobat Reader) are a very poor choice for well, reading. Reading ebooks in Acrobat Reader is like wiping your ass with emery paper.
2) While HTML is a poor choice for publishers, a similar XML-based format could be made (may be it already exists), that would work just as well as PDF.
3) It is actually a good thing that they haven't fixed the bug. More power to the readers, I say!
Future Wiki -- If you don't think about the future, you cannot have one.
UNIX is not immune, just an unlikely target because:
.1% of computers that were UNIX would figure in.
1) It (has been/is) relatively uncommon. The old Mac OS had a couple hundred native viruses, compared to the tens of thousande for MS OSes. It's not because they were less vulnerable, it's because they were less common. Now, extrapolate from the 95/5% usage patterns of Windows 3.1/Mac OS 7, and try to figure out howmany viruses the old
2) Huge variety of platforms. The same compiled code that runs on an PA-RISC machine will not run under Sparc, MIPS, POWER, etc. Add into that the wide variety of OSes on each platform (Sparc Linux, Solaris, Sparc NetBSD) and you have a relatively low concentration of machines vulnerable to any given exploit.
3) Different users. The dicks who write virii are usually not going to be the same people that administer a machine for a living, they're going to be the 20-year-old college kid with too much time on his hands. They have access to a Windows machine, but probably not high-level access to a *NIX machine.
4) Most virii we see now are not OS-targetted. Sure, it may use Win32 functions, but it's really an Outlook virus. Or a Word virus.
5) Low chance for inter-machine interaction. What's the chance that a Windows machine will be talking to another Windows machine? Wost users are on a Windows machine, so the list of possible transmission vectors is immense compared to those for other platforms.
Sure, the security model in UNIX is more thorough than that of Windows. Still, there have been a fair number of root exploits in common daemons lately that would allow a worm/virus to spread - but because of the above reasons, UNIX just isn't a good target for a virus writer.
± 29 dB
i remember a time when a person could say 'that product sucks, and here's why...', an not get busted for it.
it also painfully reminds me of the events that caused the incedents at watts, and berkley.
but i could be wrong, maybe this is what the controlers at adobe want? very interesting.
Business schools have set models and techniques of management that are designed to be generic. You can't sell a product (generic business education) if it doesn't work in all fields. Business schools, IMHO, are a damn waste of time.
Also, if you really want to make "managing" a profession, then the traditional hierarchy-of-power-implies-hierarchy-of-pay model where managers make more money than the people working for them doesn't make sense. It was designed in the days when managers worked their way up from the ranks, and were the most senior and experienced of the rank-and-file. This fixed pay structure (despite the fact that it's much easier to find a business degree than, say, a chemical engineering degree) violates our demand/supply model.
To some extent, the business world has already recognized this, which is why the highly-paid-consultant, the guy who makes more than the manager hiring him, has come to the fore. It's also a shame that this can't be recognized and also applied to regular engineer employees.
May we never see th
you troll -- the postscript format is more portable than PDF. And Java is more cross-platform than PDF.
I think the prior poster was worried about having no control over distribution of his writings. And it sure looks like this vulnerability makes Adobe NOT do what Adobe says - that's like false advertising. Here's a quote from the report:
However, using the vulnerability described above, the plug-in with forged signature can perform virtually everything, including but not limited to:
- removing or modifying any restrictions (from copying text to Clipboard, printing etc) from the documents loaded into Adobe Acrobat or Adobe Reader;
- remove any DRM (Digital Rights Management) schemes from PDF documents, regardless the encryption handler used -- WebBuy, InterTrust DocBox, Adobe DRM (EBX) etc;
- modify or remove digital signatures used within a PDF document;
- affect any/all other aspects of a document's confidentiality, integrity and authenticity.
What changed under Obama? Nothing Good
I'm irritated at "security" being shoehorned into a DTP appliction. Also, since it isn;t secure abyway (as the article), it's just maiking me waste my time and only providing you with imaginary security.
If the "securing" stage is too irritating or annoying, why don't you use Microsoft Word or OpenOffice Writer or something that doesn't have those options?
Because those applications are quite useless for DTP.
I use PDF because it's part of a publishing system. I lay out books, print to PDF, the printer prints them. That's all I'm interested in. PDF is the lingua franca of DTP. That's what it was designed for. You can use it for what you want, but don;t make it harder for the rest of us.
The "security applications" you mentioned hardly require the graphic abilities of PDF. I'm sure ther are many more secure methods of transferring data. Make one of those more user-friendly, and forget about the broken security of Acrobat. There are many things in this world that can easily be done, but shouldn't have to be.
My point was that the vulnerability already exists, and if you want to use them for those purposes, you should make sure that they really haven't been tampered with. You said "deal with the problem". That's exactly what I meant.There are probably off-the shelf apps that can compare two PDFs (there is one built in, but it could be better). If the only difference is the signature, then you're fine. Of course, it'd be much simpler if you just used ASCII -- and I don't see why not.
There is nothing Adobe can do to fix this "vulnerability". Any software-based Digital Rights Management scheme is expected to be broken. Remember this is not "security through obscurity" but "DRM through obscurity." Good security is done through good math, but no math would get you good DRM. Any DRM app is finally based on obscurity and can be broken, the only difference between one app and another is the amount of effort it takes to break it.
Of course Palladium can change it, but until it, any DRM is expected to be cracked some day. Reporting their crack as "vulnerability" is just cheap publibity for Elcom Soft.
MSDOS: 20+ years without remote hole in the default install
This is not surprising. What Adobe is trying to do is fundamentally impossible to do as long as the users still have ultimate control over their computers.
Microsoft has a solution for that.
Someone explain to me what it is exactly we are supposed to do concerning security issues when the following seems to be the standard M.O.:
1)Create Buggy Software
2)Prosecute anybody who finds these bugs.
3)?????
4)Profit!!!
Why not just pass a law a to make it illegal to complain?
On Wall Street they say "buy low, sell high" On the pad we say, "buy high, sell high" Isn't that somehow better?