Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Still Ignores Elcomsoft-Discovered Holes

Posted by timothy on from the arrest-that-man-officer dept.

evenprime writes "In 2001, Dmitry Sklyarov described vulnerabilities in Adobe Acrobat and Adobe Acrobat Reader while giving a talk at Defcon 9. As has been previously mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that Adobe, two years later, has still not patched these bugs."

14 of 305 comments (clear)

  1. What motivation do they have to fix it? by mikeophile · · Score: 5, Insightful
    They have the DMCA to sue those who exploit it for a new source of revenue.

    Maybe more companies will bait their software with easy exploits to snare those who try to circumvent it

    If nothing else, it gives the companies an excuse to their shareholders for shoddy coding.

  2. Excellent! by Noryungi · · Score: 5, Insightful

    As I have said before, one of my friend is blind.

    Have you got any idea how fscking difficult it is for the poor chap to read "protected"[1] PDF files? Trust me, it's pure hell!!

    At least, since Adobe has decided to pull an MS on its users and ignore known problems, maybe I'll be able to crack some of these protected files for my friend, so that he can read them.

    So, there are, er, ahem... unexpected benefits to this sh___y Adobe attitude...

    Just my US$ 0.02...

    [1] "Protected" as in: "can't print, can't copy, can't save as". Yes, Virginia, you can create that kind of PDF files!

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:Excellent! by ameoba · · Score: 4, Insightful

      The obvious thing to do is to sue Adobe since their free product discriminates against the blind.

      --
      my sig's at the bottom of the page.
  3. Team up with Lexmark? by dmeranda · · Score: 5, Insightful

    Perhaps Adobe should work with Lexmark to help them out with the crypto coding; you know, that great company that protects the consumer against accidentally using cheap ink with strong cryptographic chips. Then Adobe could not only provide a PDF option to prevent you from printing a document, they could also enforce that if printed, a PDF document will only be printed with 100%-genuine Lexmark toner. Oh, I see another option with Kodak here, perhaps by embedding RFID tags directly in that specical Kodak paper.

    BTW, did anyone notice that with the latest PDF specification, version 1.5, which corresponds to Acrobat 6, that they added verbage to the copyright/license part to enforce that all software which implements the PDF specification must obey all those stupid magic security bits? They claim the specification is open and free for anybody to develop software around it, but that since the "format" is copyrighted all independently developed software must obey their fragile DRM schemes. How in the world can they copyright a format; sure their specification is copyrighted being a printed work, but the "format"?

    1. Re:Team up with Lexmark? by Zork+the+Almighty · · Score: 4, Insightful

      I don't think you could copyright a format... yet. But with the existing extortio- I mean patent system you could probably patent one. I'm going to patent encoding letters of the english alphabet as binary numbers.

      --

      In Soviet America the banks rob you!
  4. Who do we contact at Adobe? by torpor · · Score: 5, Insightful

    I, personally, would like to make my annoyance at this situation known.

    Who do we contact at Adobe? How do we make a serious stink about this? Are the board members of this company contactable somehow? I'd go to the effort of writing a decent letter explaining to them their stupidity and callousness, if I knew where to send it.

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  5. Re:Acrobat isn't so wonderful... by agent+dero · · Score: 5, Insightful

    As soon as you implement this, we can talk.

    Until Java is supported well cross-platform, and as soon as you can somehow get people to obey all your PHP-HTML-Java rules, then be queit.

    The beauty of PDF, is exactly it's name Portable Document Format just about every platform supports PDF in one form or another, besides a couple ignored security holes here and there, I think PDF is a functional format.

    You can have formatted text and images, looking the same on just about every platform that has a GUI.

    --
    Error 407 - No creative sig found
  6. And the /. community says I told you so by lavalyn · · Score: 5, Insightful

    After all, we knew the DMCA would have this effect on companies and software, where bugfixes are unnecessary by litigation.

    Why fix software when we can send lawyers and make examples and burning effigies instead?

    --
    Doing the Right Thing should not be preempted by making a buck.
  7. DMCA = right to sue, != requirement to fix by cenonce · · Score: 5, Insightful

    This really shouldn't surprise anyone. The DMCA gives companies a right to sue if you reverse engineer an encyption device. But the DMCA offers no protecting to the consumer by requireing a company to FIX the problem.

    Besides /., this story has not had a whole lot of publicity. Add to that the fact that most people wouldn't know how to decrypt the e-books (and, more importantly, probably don't all that much care), there really isn't much incentive for Adobe to fix it.

    The puzzling thing to me is that it seems like it really wouldn't cost all that much to fix. I mean, it is a patch afterall and every friggin time I start up Photoshop Elements it is downloading some update (though not sending any of my personal information... hehe!).

    IAAL, so what I start to think is: Does Adobe have any liability for failure to patch the software when an author loses money because his or her ebook is pirated? No doubt in advertising and selling the software, Adobe touted the encryption as a safety feature. Contributory infringement, maybe? Misrepresentation? A warranty theory? Hmm....

  8. unsurprising and unfixable by Eivind · · Score: 5, Insightful
    This is not surprising. What Adobe is trying to do is fundamentally impossible to do as long as the users still have ultimate control over their computers.

    Adobe is trying to tell customers that they have a format in which you can send a document to someone, and that document will only be readable on that one computer, or will not be printable, or will not be copyable to the clipboard or whatever.

    This is fundamentally impossible. If my computer can display the document on screen for me, then this means that the computer MUST have all the required information to do so. This includes any and all secret keys if the document is encrypted and so on.

    This implies that the computer also has all the info needed to print the document, or copy it to the clipboard or whatever. Now, Adobes product could only work if the computer "knew" how to do this, but refused to do it anyway, in other words, if the computer was not obeying the end-user.

    This is possible with secure hardware and similar that refuse to run code that is not digitally signed by the real master (not the end-user and owner!). But with the current computers that happily run anything you the user want in priviledged mode it is not possible.

    Sure they could, and probably should, patch this spesific hole. But there's nothing Adobe can do to make they so-called "secure pdf" actually do what they claim it will do. And they know it.

  9. Re:Misleading title, misleading hype... by pjrc · · Score: 4, Insightful
    Also, as long as Elcom is thowing stones of "Adobe is slow, unresponsive" and still has a weakness after their attempt to fix the problem, consider Elcom's standard of professional conduct:

    1. Discover weakness in Acrobat Reader
    2. Create exploit tool and sell it commercially
    3. Announce the exploit at Defcon and distribute some free copies of the polished, for-profit exploit
    4. Dmitry gets arrested, infamous DMCA case...
    5. Eventually report the bug to CERT, after Dmitry case resolved
    6. Adobe reworks plugin authentication/signing in next major release, but a flaw still remains where unsigned plugins can patch Acrobat's in-memory image and obtain unathorized privs (CERT avdisory only covers signing weakness)
    7. Elcom complains that Adobe has ignored problem and done nothing.

    The DMCA sucks, Adobe is unresponsive, and Dmitry shoulda been released promptly.... but regardless of all that, everybody should remember that we're dealing with a for-profit company that discovered weaknesses and first created and SOLD for-profit exploits and went on a campaign to promote it... and only reported to CERT after a legal battle that forced them to pull their commercial exploit product from the market.

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools
  10. Re:Acrobat isn't so wonderful... by Rogerborg · · Score: 4, Insightful

    >You generally use vector fonts in HTML (such as Truetype Arial and Times).

    Sure, go ahead and specify those fonts. Is my Lynx text mode console browser going to render them? What you mean is that it should look as you intended on (e.g.) IE 6.0.2800.1106.xpsp2.030422-1633 on XP Home build 2002 SP1 English with the exact fonts that you had on your machine when you created it.

    --
    If you were blocking sigs, you wouldn't have to read this.
  11. What about the end user's responsibility? by ipour · · Score: 5, Insightful

    Too many people don't pay attention to where their plug-ins and other downloads come from - that is where a big part of the problem starts. End users need to own up to that fact that when a warning comes up about an unsigned or questionable certificate, they need to ask some serious questions before installing.

    Sure, Adobe still has a "vulnerability" in the strict sense of the word, and if they want to continue marketing a weak security product, that is their business. In my opinion, their inspired release of Acrobat Elements will make Adobe a bigger player and Acrobat a major product. Going in to this with a problem is just bad business and will not help them. And whacking the messenger with the DMCA is definitely not a solution!

  12. Re:relapse by anagama · · Score: 4, Insightful

    I think the prior poster was worried about having no control over distribution of his writings. And it sure looks like this vulnerability makes Adobe NOT do what Adobe says - that's like false advertising. Here's a quote from the report:

    However, using the vulnerability described above, the plug-in with forged signature can perform virtually everything, including but not limited to:
    - removing or modifying any restrictions (from copying text to Clipboard, printing etc) from the documents loaded into Adobe Acrobat or Adobe Reader;
    - remove any DRM (Digital Rights Management) schemes from PDF documents, regardless the encryption handler used -- WebBuy, InterTrust DocBox, Adobe DRM (EBX) etc;
    - modify or remove digital signatures used within a PDF document;
    - affect any/all other aspects of a document's confidentiality, integrity and authenticity.

    --
    What changed under Obama? Nothing Good